tshark examples

Packet display rules

tshark -R “ip.addr == 192.168.0.1” -r /tmp/capture.cap

“Ethernet address 00:08:15:00:08:15” eth.addr == 00:08:15:00:08:15
“Ethernet type 0×0806 (ARP)” eth.type == 0×0806
“Ethernet broadcast” eth.addr == ff:ff:ff:ff:ff:ff
“No ARP” not arp
“IP only” ip
“IP address 192.168.0.1” ip.addr == 192.168.0.1
“IP address isn't 192.168.0.1, don't use != for this!” !(ip.addr == 192.168.0.1)
“IPX only” ipx
“TCP only” tcp
“UDP only” udp
“UDP port isn't 53 (not DNS), don't use != for this!” !(udp.port == 53)
“TCP or UDP port is 80 (HTTP)” tcp.port == 80 || udp.port == 80
HTTP http
“No ARP and no DNS not arp and not (udp.port == 53)
“Non-HTTP and non-SMTP to/from 192.168.0.1” not (tcp.port == 80) and not (tcp.port == 25) and ip.addr == 192.168.0.1

tshark -R “http.response and http.content_type contains image”
-z “proto,colinfo,http.content_length,http.content_length”
-z “proto,colinfo,http.content_type,http.content_type”
-r /tmp/capture.tmp

http://www.packetlevel.ch/

for creating a “;” separated file with “source IP” “destination IP” and “Destination Port” from all with SYN initiated connections, you can use following sample:
Use the options -T , -E and -e (see man pages for infos)

tshark -nn -r capturefile.dmp -T fields -E separator=’;’ -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport ‘(tcp.flags.syn == 1 and tcp.flags.ack == 0)’

Display http response codes:

tshark -o “tcp.desegment_tcp_streams:TRUE” -i eth0 -R “http.response” -T fields -e http.response.code

Display Top 10 URLs

tshark -r sample1.cap -R http.request -T fields -e http.host -e http.request.uri |
sed -e ‘s/?.*$//’ | sed -e ‘s#^(.*)t(.*)$#http://12#’ | sort | uniq -c | sort -rn | head

Display Source IP and MAC Address. (coma sep) tshark -i eth0 -nn -e ip.src -e eth.src -Tfields -E separator=, -R ip Display Target IP and Mac Address (coma sep)

tshark -i eth0 -nn -e ip.dst -e eth.dst -Tfields -E separator=, -R ip

Soure and Target IP

tshark -i eth0 -nn -e ip.src -e ip.dst -Tfields -E separator=, -R ip

Source and Target IPv6

tshark -i eth0 -nn -e ip.dst -e ip.dst -Tfields -E separator=, -R ip

Source IP and DNS Query

tshark -i eth0 -nn -e ip.src -e dns.qry.name -E separator=”;” -T fields port 53

Answer Seq Numbers
for a test , if the Device use random answer seq number, i need the Seq-Number of the SYN-ACK packet.
the -o options is requierd for oversteering the wireshark config and make sure, we have the absolute Seq Nr, and not the relative Seq Nr.

tshark -nn -i eth0 -e tcp.seq -T fields -o tcp.relative_sequence_numbers:FALSE host 192.168.1.1 and tcp[13]=0x12

You can define the output of tshark : And here a Samples:
display only the Source and the Destination IP

tshark -o column.format:'”Source”, “%s”,”Destination”, “%d”‘ -Ttext

Samples:

tshark -i eth0 -c 100 -f “udp dst port 137″ -T fields -t ad -e frame.date -e frame.time -e ip.src -e ip.dst -e nbns.id -e nbns.flags.opcode -e nbns.flags.rcode

tshark -r samples.cap -o column.format:'”No.”, “%m”, “Info”, “%i”, “Len”, “%Cus:tcp.len”‘

tshark -r samples.cap -Ttext > outfile.txt

tshark -r samples.cap -o column.format:'”Source”, “%s”,”Destination”, “%d”‘ -Ttext

tshark -r samples.cap -R http.response.code==200 -T fiels -e http.content_type

tshark -r samples.cap -R dns.cflags.response==0

Statistics from a capture file
And here a Samples:

tshark -r samples.cap -qz io,stat,1,0,sum(tcp.analysis.retransmission)”ip.addr==10.10.10.10″ > stat.txt

tshark -r samples.cap -qz io,stat,120,”ip.addr==194.134.109.48 && tcp”,”COUNT(tcp.analysis.retransmission)ip.addr==194.134.109.48 && tcp.analysis.retransmission”

tshark -r samples.cap -q -z io,stat,30,”COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission”

tshark -r samples.cap -q -z io,stat,30,
“COUNT(tcp.analysis.retranmission)tcp.analysis.retransmission”,
“AVG(tcp.window_size)tcp.window_sizeтАЭ,тАЭMAX(tcp.window_size)”,
“MIN(tcp.window_size)tcp.window_size”

tshark -r samples.cap -q -z io,stat,5,”COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission”,”COUNT(tcp.analysis.duplicate_ack)tcp.analysis.duplicate_ack”,
“COUNT(tcp.analysis.lost_segment) tcp.analysis.lost_segment”,
“COUNT(tcp.analysis.fast_retransmission) tcp.analysis.fast_retransmission”

tshark -r samples.cap -q -z io,stat,5,”MIN(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt”,
“MAX(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt”,”AVG(tcp.analysis.ack_rtt)tcp.analysis.ack_rtt”

tshark -r samples.cap -q -z ip_hosts,tree

tshark -r samples.cap -q -z conv,tcp

tshark -r samples.cap -q -z ptype,tree

MySQL snooping

tshark -i eth0 -aduration:60 -d tcp.port==3306,mysql -T fields -e mysql.query 'port 3306'

Logging all the queries with MySQL

1. Capturing the MySQL traffic
tcpdump -i eth0 port 3306 -s 1500 -w tcpdump.out
2. Extracting the queries
tshark -r tcpdump.out -d tcp.port==3306,mysql -T fields -e mysql.query > query_log.out
remove the blank lines and redundant SQL:
cat query_log.out | grep -v "^$" | grep -v "^commit" | grep -v "^SET autocommit" | grep -v "^rollback" > query_log_no_blank.out

5 thoughts on “tshark examples

  1. skalli07

    Thank u man 🙂 , great examples ^^

    4 years after your article, it’s still 100% working !

    Reply
    1. Blort

      Not strictly true. DNS is supported over both UDP and TCP and well-behaved DNS resolvers should support both. If a DNS reply sets the truncate bit, or the client is performing a zone transfer, TCP will be used. Originally the truncate bit was used when a reply exceeded 512 bytes, the maximum allowed for a DNS UDP segment. See RFC 1123 and section 3 of RFC 5966.

      Reply

Leave a Reply to skalli07 Cancel reply

Your email address will not be published. Required fields are marked *