PCAP analysis: tcpdump & tshark (part 2)
Page content
In this post we take the first steps finding out what is happening in lab network. All the examples use tshark or tcpdump to dissect the data and to apply filters and other methods to gather the information we need.
Conversations and connections
Conversation partners
List statistics about IP conversations
$ tshark -r capture.pcap -qz conv,ip
================================================================================
IPv4 Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
10.26.20.50 <-> 62.115.253.218 19885 77 MB 10323 767 kB 30208 78 MB 724.668881000 553.0433
10.26.20.50 <-> 62.115.253.209 16557 69 MB 8956 682 kB 25513 70 MB 725.289213000 552.4230
10.26.20.51 <-> 62.115.253.209 7944 33 MB 3962 259 kB 11906 34 MB 536.929616000 72.7241
10.26.20.51 <-> 62.115.253.218 7496 30 MB 3817 251 kB 11313 31 MB 536.299992000 73.3525
10.26.10.12 <-> 10.26.10.10 3170 1,094 kB 3414 817 kB 6584 1,912 kB 1.944211000 14357.9442
List statistics about IP and TCP conversations
$ tshark -r capture.pcap -qz conv,ip -qz conv,tcp
================================================================================
TCP Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
10.26.10.1:49732 <-> 10.26.10.3:5044 2209 146 kB 3062 11 MB 5271 11 MB 87.456004000 14387.8944
10.26.20.50:49732 <-> 10.26.10.3:5044 2209 146 kB 2451 11 MB 4660 11 MB 87.455735000 14387.8945
10.26.10.20:64527 <-> 10.26.10.3:5044 1656 111 kB 2218 8,221 kB 3874 8,332 kB 55.476587000 14424.3058
10.26.10.11:57437 <-> 20.42.72.131:443 897 240 kB 901 764 kB 1798 1,004 kB 109.242906000 54.3813
10.26.10.12:56583 <-> 13.89.179.8:443 868 232 kB 869 741 kB 1737 973 kB 152.642173000 67.6251
List Top Talkers (IPv4)
$ tcpdump -tnn -r capture.pcap | awk -F ">" '{print $1}' | grep '^IP[[:space:]]' | awk -F "." {'print $1"."$2"."$3"."$4'} | sort | uniq -c | sort -nr | head -20
29562 IP 10.26.20.50
27381 IP 62.115.253.218
24501 IP 62.115.253.209
14083 IP 10.26.20.51
10545 IP 10.26.10.10
9266 IP 10.26.10.12
8014 IP 10.26.10.1
6633 IP 10.26.10.3
5830 IP 10.26.10.20
3009 IP 10.26.10.11
2121 IP 13.89.179.8
1587 IP 20.54.110.119
1369 IP 62.115.253.41
1323 IP 62.115.253.64
1278 IP 20.189.173.1
1057 IP 20.42.72.131
1028 IP 20.54.89.15
735 IP 8.8.8.8
579 IP 8.249.33.254
577 IP 8.253.193.120
Endpoints which initiate most connections
$ tshark -r capture.pcap -T fields -e ip.src "tcp.flags.syn==1 && tcp.flags.ack==0" | sort | uniq -c | sort -rn
498 10.26.20.50
340 10.26.20.51
201 10.26.10.12
197 10.26.10.1
175 10.26.10.20
146 10.26.10.10
112 10.26.10.11
14 10.26.10.3
9 10.26.30.58
4 10.26.10.22
1 10.26.10.66
Packets and data transfered
List all endpoints and amount of data and packets transfered
$ tshark -r capture.pcap -qz endpoints,ip
================================================================================
IPv4 Endpoints
Filter:<No Filter>
| Packets | | Bytes | | Tx Packets | | Tx Bytes | | Rx Packets | | Rx Bytes |
10.26.20.50 76696 171904126 29868 17164121 46828 154740005
62.115.253.218 41521 109340208 27381 108321837 14140 1018371
62.115.253.209 37419 104406728 24501 103464774 12918 941954
10.26.20.51 35958 75004829 14346 3635747 21612 71369082
10.26.10.10 21966 5324363 10629 2805981 11337 2518382
10.26.10.12 18947 9945548 9340 2899054 9607 7046494
List amount of data and packets originating from our own subnet
$ tshark -r capture.pcap -qz endpoints,ip,ip.src==10.26.10.0/24
================================================================================
IPv4 Endpoints
Filter:ip.src==10.26.10.0/24
| Packets | | Bytes | | Tx Packets | | Tx Bytes | | Rx Packets | | Rx Bytes |
10.26.10.10 18572 4612154 10652 2811172 7920 1800982
10.26.10.12 15015 4589261 9363 2903669 5652 1685592
10.26.10.1 14566 13635958 8114 12457589 6452 1178369
10.26.10.3 12955 20224855 6777 478521 6178 19746334
10.26.10.20 8583 9565713 5911 9183975 2672 381738
10.26.20.50 4273 660683 0 0 4273 660683
DNS traffic
Gather DNS statistics
$ tshark -r capture.pcap -qz dns,tree
=====================================================================================================================================================
DNS:
Topic / Item Count Average Min Val Max Val Rate (ms) Percent Burst Rate Burst Start
-----------------------------------------------------------------------------------------------------------------------------------------------------
Total Packets 6614 0.0005 100% 0.6400 9231.005
rcode 6614 0.0005 100.00% 0.6400 9231.005
No error 5755 0.0004 87.01% 0.5200 9231.005
No such name 853 0.0001 12.90% 0.1500 10837.225
Refused 6 0.0000 0.09% 0.0100 21.210
opcodes 6614 0.0005 100.00% 0.6400 9231.005
Standard query 6160 0.0004 93.14% 0.6400 9231.005
Dynamic update 454 0.0000 6.86% 0.2000 22.757
Query/Response 6614 0.0005 100.00% 0.6400 9231.005
Response 3307 0.0002 50.00% 0.3200 9231.013
Query 3307 0.0002 50.00% 0.3200 9231.005
Query Type 6614 0.0005 100.00% 0.6400 9231.005
A (Host Address) 4154 0.0003 62.81% 0.2100 536.175
PTR (domain name PoinTeR) 944 0.0001 14.27% 0.3600 10837.166
SOA (Start Of a zone of Authority) 900 0.0001 13.61% 0.4000 22.755
AAAA (IPv6 Address) 440 0.0000 6.65% 0.2400 9231.014
SRV (Server Selection) 168 0.0000 2.54% 0.2400 9231.005
TKEY (Transaction Key) 8 0.0000 0.12% 0.0200 21.219
Class 6614 0.0005 100.00% 0.6400 9231.005
IN 6614 0.0005 100.00% 0.6400 9231.005
Payload size 6614 99.05 25 3257 0.0005 100% 0.6400 9231.005
Query Stats 0 0.0000 100% - -
Qname Len 3307 24.38 7 72 0.0002 0.3200 9231.005
Label Stats 0 0.0000 - -
4th Level or more 1807 0.0001 0.2000 9231.005
3rd Level 1283 0.0001 0.1600 58.041
2nd Level 217 0.0000 0.1200 22.809
1st Level 0 0.0000 - -
Response Stats 0 0.0000 100% - -
no. of questions 6614 1.00 1 1 0.0005 0.6400 9231.013
no. of authorities 6614 0.57 0 6 0.0005 0.6400 9231.013
no. of answers 6614 2.05 0 12 0.0005 0.6400 9231.013
no. of additionals 6614 0.41 0 2 0.0005 0.6400 9231.013
Service Stats 0 0.0000 100% - -
request-response time (msec) 3307 14.07 0.000000 330.832001 0.0002 0.3200 9231.013
no. of unsolicited responses 0 0.0000 - -
no. of retransmissions 0 0.0000 - -
-----------------------------------------------------------------------------------------------------------------------------------------------------
List stats for DNS traffic
$ tshark -r capture.pcap -qz endpoints,ip,'ip.src==10.26.10.0/24 && udp.dstport==53'
================================================================================
IPv4 Endpoints
Filter:ip.src==10.26.10.0/24 && udp.dstport==53
| Packets | | Bytes | | Tx Packets | | Tx Bytes | | Rx Packets | | Rx Bytes |
10.26.10.10 2244 218958 719 74876 1525 144082
10.26.10.1 920 85745 920 85745 0 0
8.8.8.8 711 73900 0 0 711 73900
10.26.10.12 242 25157 167 17856 75 7301
10.26.10.20 184 16804 184 16804 0 0
10.26.10.50 90 8010 90 8010 0 0
10.26.10.11 86 7883 86 7883 0 0
10.26.10.66 80 7835 80 7835 0 0
10.26.10.3 39 3952 39 3952 0 0
10.26.10.22 26 2322 26 2322 0 0
================================================================================
Show DNS queries
$ tshark -n -T fields -e dns.qry.name -r capture.pcap | grep -v '^$' | sort | uniq -c | sort -rn
596 1D.tlu.dl.delivery.mp.microsoft.com
580 v10.events.data.microsoft.com
512 ntp.ubuntu.com
186 settings-win.data.microsoft.com
140 2.centos.pool.ntp.org
136 ctldl.windowsupdate.com
HTTP URLs
$ tshark -n -r capture.pcap -T fields -e http.request.full_uri | grep -v '^$' | sort | uniq -c | sort -rn | head -20
tshark: The file "capture.pcap" appears to have been cut short in the middle of a packet.
51 http://1d.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/1881b6cd-189d-4556-b6eb-6300f480fdcc?P1=1655102001&P2=404&P3=2&P4=QGGg18YHhU5Ut9L4nDfq3kK8ElVF8dYl%2bG%2fjByas3OoxCSTEOgS8qhTA22n8z4rcSQ7tLODZ%2blB%2bgVEhvjJTZQ%3d%3d
50 http://1d.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ad73b808-2858-4747-9a8e-96423151c4f1?P1=1655101835&P2=404&P3=2&P4=j8Cry%2bRYdgDRzmW%2bW1re6iFt5djTulQLrAMUKe3QDoL%2fk276RXcPTloQrO8d2vPy4m%2b9PXbWm7R0BbDt0BdPXQ%3d%3d
50 http://1d.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7b20861d-cb4d-420b-a821-e953d53baa3e?P1=1655105070&P2=404&P3=2&P4=Wdp%2bUHbPyNUK%2ffBZyClbdNz9OgDj%2f22TrgqOxfVhFnTRQBnH%2f4D0Fmdt5kO%2bgNtQqD2MEgvXR%2b9GvCxMSjLLCQ%3d%3d
46 http://1d.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/1ee8f2d3-cfbe-4514-a83a-5aaadb44df5e?P1=1655100936&P2=404&P3=2&P4=k9QqjKOqzxXSATcRoBw4byXUFPSf1qnuQQrv%2bjF%2bkNwPFSvyc6iINlJmUU%2fljiuHeQXouQMAj4K7aPxCZ0IMzA%3d%3d
35 http://1d.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/89bbe9e1-cfb6-4124-828e-14f9a8d6a88b?P1=1655102770&P2=404&P3=2&P4=R6WJ4jOWRkqzylc%2fMQ0K23oTCaReDeq0GUkB6dQsF4Crvq3IUwKYpREUMSv8U1%2bqQ4I%2fMeU3e5qR5u%2f1whj%2fGg%3d%3d
34 http://1d.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/cb173ca0-3abf-41b8-b281-995e105a305b?P1=1655105909&P2=404&P3=2&P4=KDk2tR5lLFFIGrahvR%2bgOo9LWHn3WafPmfxkP4c%2b3panRFnwNnSTtdEkpDv1w%2fwkedE11wK%2bq3Ydi%2fGAuMn3Jw%3d%3d
34 http://1d.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b1d5030c-6acf-4899-a1c1-6fb3ae6dc18d?P1=1655102115&P2=404&P3=2&P4=dQMJvBX4hW9iw1nH4fQN27CZx8vF9vkFv9bte6EnxLQmOWwHPg1bu1%2fABFNI4KdcAhUUN1JWwHNBSz8akJ%2bW5w%3d%3d
34 http://1d.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6b731b6f-f048-47a9-b3ea-1e1e478f32db?P1=1655103088&P2=404&P3=2&P4=NhjHlLwpHWldBks7vrU7RINs6q6h6h9ucJCHnjv82lln9q63ujpyzg6h6JXvVbzohU63Hz%2bPurfDpUVWaEKp6w%3d%3d
32 http://1d.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a161832f-a98d-470a-8c59-e79f45b082d2?P1=1655101131&P2=404&P3=2&P4=ZCVSvJEWS9diPN070hqVzh2ShKvhnKeZDuZkEP%2fNhiPuiS1%2byqg%2bnr4nKz0JKuMludNRf0USv00PxngAURSDFA%3d%3d
Protocol Hierarchy Statistics
This listing gives you both number of frames and bytes on each protocol layer.
$ tshark -r capture.pcap -qz io,phs
===================================================================
Protocol Hierarchy Statistics
Filter:
eth frames:165645 bytes:297934576
vlan frames:165638 bytes:297934118
arp frames:7878 bytes:492164
ip frames:156839 bytes:297351277
icmp frames:297 bytes:30258
udp frames:9662 bytes:1411712
ntp frames:1689 bytes:180942
dns frames:6360 bytes:912214
cldap frames:288 bytes:63188
mdns frames:220 bytes:20893
llmnr frames:131 bytes:9730
nbns frames:73 bytes:8052
nbdgm frames:99 bytes:24453
smb frames:99 bytes:24453
mailslot frames:99 bytes:24453
browser frames:99 bytes:24453
data frames:426 bytes:62757
dhcp frames:360 bytes:126555
ssdp frames:16 bytes:2928
tcp frames:146400 bytes:295880469
nbss frames:6226 bytes:1857689
smb2 frames:6120 bytes:1842134
dcerpc frames:10 bytes:2688
rpc_netlogon frames:2 bytes:488
lsarpc frames:4 bytes:1016
smb2 frames:570 bytes:223318
smb2 frames:164 bytes:59368
data frames:142 bytes:87634
tcp.segments frames:1 bytes:1724
smb frames:103 bytes:13493
kerberos frames:304 bytes:332202
tcp.segments frames:9 bytes:1231
dcerpc frames:3330 bytes:1738802
drsuapi frames:1096 bytes:702896
epm frames:210 bytes:57960
rpc_netlogon frames:48 bytes:17742
lsarpc frames:58 bytes:17588
frstrans frames:448 bytes:88704
ldap frames:1545 bytes:946657
ldap frames:83 bytes:222940
tcp.segments frames:7 bytes:3671
tls frames:13953 bytes:15276334
tcp.segments frames:294 bytes:2046810
tls frames:219 bytes:1854869
http frames:3256 bytes:9522852
data-text-lines frames:85 bytes:61099
tcp.segments frames:3 bytes:1461
tls frames:26 bytes:34833
tcp.segments frames:1 bytes:6364
xml frames:19 bytes:36221
tcp.segments frames:12 bytes:18760
ocsp frames:8 bytes:7067
media frames:785 bytes:4289697
tcp.segments frames:300 bytes:434801
json frames:6 bytes:4777
data frames:576 bytes:4386671
tcp.segments frames:529 bytes:4299713
tcp.segments frames:3 bytes:11447
dns frames:36 bytes:19345
data frames:6898 bytes:30331005
tcp.segments frames:1 bytes:1518
igmp frames:480 bytes:28838
ipv6 frames:921 bytes:90677
icmpv6 frames:561 bytes:51566
udp frames:360 bytes:39111
dhcpv6 frames:23 bytes:3634
mdns frames:214 bytes:23956
llmnr frames:123 bytes:11521
ipv6 frames:7 bytes:458
icmpv6 frames:7 bytes:458
===================================================================
Miscellaneous
Create hosts file from the pcap
$ tshark -r capture.pcap -qz hosts
# TShark hosts output
#
# Host data gathered from capture.pcap
20.199.120.85 wns.notify.trafficmanager.net
20.72.205.209 settings-prod-wus2-2.westus2.cloudapp.azure.com
201.217.3.85 2.centos.pool.ntp.org
184.85.154.29 e11290.dspg.akamaiedge.net
104.212.67.245 mrs20r3.msedge.net
104.21.64.48 versioncheck.graylog.com
Ok, that’s it. Hopefully you got something out of this and I’ll see you in next post.