👨‍💻
Hacking Notes
  • Hacking Notes
  • 💅One-Liners
  • ⚔️Offensive
    • Exploit Workflow
    • Recon
      • OSINT
      • DNS
        • Domain Discovery
      • Layer 2 Config and Analysis
      • Port Scanning and Discovery
      • Port Attacks
      • Link it all together
    • Payloads
      • MSFVenom
      • Reverse Shells
    • Websites
      • Enumeration
      • Injection/LFI
      • Session Management
      • Brute Forcing
      • JavaScript & XSS
      • SSRF
      • XXE
      • PHP
    • Password Attacks
      • Brute Forcing
      • Mimikatz
      • Password Cracking
      • Hash Extraction
      • Wordlist Generation
    • Databases
      • SQL
      • Mongodb
    • Microsoft Windows Exploits
      • Enumeration
      • Powershell
      • Cmd
      • Privilege Escalation
      • Active Directory
      • Bloodhound
    • Social Engineering
    • Netcat & Socat
    • File Transfers
    • Metasploit
      • Writing Modules
    • PS Empire
    • Priv Escalation
    • Post Exploitation
    • Pivoting
    • Certs and Secrets
    • NGROK
    • Misc.
  • 🛡️Defensive
    • Defensive Notes
    • Windows Forensics
      • Program Execution Artifacts
      • ASEP Locations
      • Event Logs
    • Linux Forensics
    • Network Forensics
      • tshark
      • Wireshark Filters
    • Memory Forensics
    • Stego
    • Malware Analysis
    • Volatility
  • 🌩️Cloud
    • Scope and Shared Responsibility
    • AWS CLI
    • Azure CLI
    • SaaS Attacks
    • PaaS
  • ⌨️Programming
    • Programming Notes
    • Examples and Quick Scripts
    • PowerShell
    • Pwn
      • Windows Pwn
    • Python
      • Basic Python
      • Modules
      • Working with Files
      • Networking
      • Attack Related
      • Scapy
        • Using Scapy
        • Reading PCAP
    • C
      • Code Examples
      • GDB
    • PHP
Powered by GitBook
On this page

Was this helpful?

  1. Defensive
  2. Network Forensics

tshark

tshark is used to perform packet analysis at the terminal and provides a ton of insanely powerful capabilities.

The command below will take a pcap file as input, limit to only IP 192.168.1.1 sending ICMP packets, then extract any data carried over ICMP. We can then perform additional analysis on all of the data.

tshark -r packets.pcap -Y "ip.src == 192.168.1.1 && ICMP" -T fields -e data.data

Quick analysis and easy to analyze packets

tshark -i eth0 -w packets.pcap    # Capture all packets on eth0 and save to packets.pcap
tshark -r packets.pcap -c10       # Read the first 10 packets from packets.pcap
tshark -xr packets.pcap           # Display all packets in hexdump (ASCII) format from file
tcpdump -Xr packets.pcap          # Similar to above command, just in tcpdump instead

Summary Statistics

tshark -z help                                    # Get help for statistics
tshark -r packets.pcap -z conv,ip                 # Stats about IP conversations in pcap
tshark -r packets.pcap -z http,tree               # Breakdown of HTTP requests and responses
tshark -r http.pcap -z follow,tcp,ascii,0         # Follows the stream of TCP 0 displayed in ASCII, similar to GUI
tshark -r packets.pcap -z follow,udp,ascii,10.1.1.1:52344,10.1.1.2:53        # Follow a UDP stream

# Additional fun statistical options
ip_hosts,tree        # Display every IP in capture with stats
io,phs               # Protocol hierarchy showing all protocols found in capture
http,tree            # Stats for HTTP requests and responses
http_req,tree        # Stats for HTTP requests only
smb,srt              # Stats for SMB to analyze Windows activity
endpoints,wlan       # Displays all wireless endpoints
expert               # Shows all expert info, chats & errors and stuff

Timestamp format

tshark -r packets.pcap -t ad        # Absolute time (in local time zone) with date
tshark -r packets.pcap -t ud        # Absolute time (UTC) with date packet was captured
tshark -r packets.pcap -t e         # Epoch time
PreviousNetwork ForensicsNextWireshark Filters

Last updated 4 years ago

Was this helpful?

🛡️