PCAP analysis: tcpdump & tshark (part 3)

June 14, 2022

Page content

Tshark has different filters which can be used during the capture or when we want to carve out only the interesting bits and bytes from the capture. Let’s see how they work and how to put them in use.

Display filters

Tshark display filters use the exact same syntax as wireshark does.

To use display filter with tshark, use the -Y ‘filter_here’ syntax.

Filter by protocol

$ tshark -r capture.pcap -Y 'tls' 
  499  15.340428  10.26.10.11 → 20.189.173.2 TLSv1.2 270 Client Hello
  503  15.520603 20.189.173.2 → 10.26.10.11  TLSv1.2 4460 Server Hello, Certificate, Server Key Exchange, Server Hello Done
  506  15.556617  10.26.10.11 → 20.189.173.2 TLSv1.2 216 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
  525  15.735618 20.189.173.2 → 10.26.10.11  TLSv1.2 109 Change Cipher Spec, Encrypted Handshake Message
  526  15.744634  10.26.10.11 → 20.189.173.2 TLSv1.2 626 Application Data
  527  15.744739  10.26.10.11 → 20.189.173.2 TLSv1.2 925 Application Data
  581  15.922102 20.189.173.2 → 10.26.10.11  TLSv1.2 465 Application Data
  582  15.956690  10.26.10.11 → 20.189.173.2 TLSv1.2 627 Application Data
  583  15.956786  10.26.10.11 → 20.189.173.2 TLSv1.2 1909 Application Data
  587  16.134398 20.189.173.2 → 10.26.10.11  TLSv1.2 465 Application Data

Filter by ip address

$ tshark -r capture.pcap -Y 'ip.addr==10.26.10.10' 
    9   1.944211  10.26.10.12 → 10.26.10.10  NTP 166 NTP Version 3, symmetric active
   10   1.945724  10.26.10.10 → 10.26.10.12  NTP 166 NTP Version 3, server
   13   3.220445  10.26.10.10 → 10.26.10.12  TCP 60 58097 → 135 [FIN, ACK] Seq=1 Ack=1 Win=1023 Len=0
   14   3.220537  10.26.10.10 → 10.26.10.12  TCP 60 58096 → 135 [FIN, ACK] Seq=1 Ack=1 Win=1024 Len=0
   15   3.220670  10.26.10.12 → 10.26.10.10  TCP 60 135 → 58097 [ACK] Seq=1 Ack=2 Win=8191 Len=0
   16   3.220671  10.26.10.12 → 10.26.10.10  TCP 60 135 → 58097 [FIN, ACK] Seq=1 Ack=2 Win=8191 Len=0
   17   3.220671  10.26.10.10 → 10.26.10.12  TCP 60 58099 → 49669 [FIN, ACK] Seq=1 Ack=1 Win=1024 Len=0
   18   3.220818  10.26.10.12 → 10.26.10.10  TCP 60 135 → 58096 [ACK] Seq=1 Ack=2 Win=8191 Len=0
   19   3.220818  10.26.10.10 → 10.26.10.12  TCP 60 58098 → 49669 [FIN, ACK] Seq=1 Ack=1 Win=1024 Len=0
   20   3.220819  10.26.10.12 → 10.26.10.10  TCP 60 135 → 58096 [FIN, ACK] Seq=1 Ack=2 Win=8191 Len=0

Show only traffic between local clients and servers

$ tshark -r capture.pcap -Y 'ip.src==10.26.30.0/24 and ip.dst==10.26.10.0/24'
 6339  76.835281  10.26.30.58 → 10.26.10.10  DNS 85 Standard query 0xf6b7 A 2.centos.pool.ntp.org
 6341  76.835283  10.26.30.58 → 10.26.10.10  DNS 85 Standard query 0xcdb2 AAAA 2.centos.pool.ntp.org
 7017  81.538229  10.26.30.58 → 10.26.10.10  DNS 85 Standard query 0xf14b A 2.centos.pool.ntp.org
 7019  81.538514  10.26.30.58 → 10.26.10.10  DNS 85 Standard query 0x9244 AAAA 2.centos.pool.ntp.org
 7793  85.303232  10.26.30.58 → 10.26.10.10  DNS 84 Standard query 0x4df1 A extensions.gnome.org
 7795  85.303381  10.26.30.58 → 10.26.10.10  DNS 84 Standard query 0x4cf3 AAAA extensions.gnome.org
13489 109.563030  10.26.30.58 → 10.26.10.10  DNS 85 Standard query 0xa249 A 2.centos.pool.ntp.org

Use protocol and address information in search

$ tshark -r capture.pcap -Y 'http and ip.addr==10.26.10.22' 
 1181  37.497992  10.26.10.22 → 10.26.10.1   HTTP 229 CONNECT api.snapcraft.io:443 HTTP/1.1
 1704  42.877935   10.26.10.1 → 10.26.10.22  HTTP 109 HTTP/1.1 200 Connection established
 1706  42.878445  10.26.10.22 → 10.26.10.1   TLSv1 338 Client Hello
 1708  42.919401   10.26.10.1 → 10.26.10.22  TLSv1.3 3607 Server Hello, Change Cipher Spec, Application Data, Application Data, Application Data, Application Data
 1723  43.614476  10.26.10.22 → 10.26.10.1   TLSv1.3 134 Change Cipher Spec, Application Data
 1725  43.614789  10.26.10.22 → 10.26.10.1   TLSv1.3 442 Application Data
 1729  43.654269   10.26.10.1 → 10.26.10.22  TLSv1.3 228 Application Data, Application Data
 1731  43.655801   10.26.10.1 → 10.26.10.22  TLSv1.3 1187 Application Data
 1790  45.081161  10.26.10.22 → 10.26.10.1   HTTP 229 CONNECT api.snapcraft.io:443 HTTP/1.1
 1797  45.125026   10.26.10.1 → 10.26.10.22  HTTP 109 HTTP/1.1 200 Connection established

It is also possible to use partial information in search.

$ tshark -r capture.pcap -Y "eth.src contains d8:41:cc"
    9   1.944211  10.26.10.12 → 10.26.10.10  NTP 166 NTP Version 3, symmetric active
   15   3.220670  10.26.10.12 → 10.26.10.10  TCP 60 135 → 58097 [ACK] Seq=1 Ack=2 Win=8191 Len=0
   16   3.220671  10.26.10.12 → 10.26.10.10  TCP 60 135 → 58097 [FIN, ACK] Seq=1 Ack=2 Win=8191 Len=0
   18   3.220818  10.26.10.12 → 10.26.10.10  TCP 60 135 → 58096 [ACK] Seq=1 Ack=2 Win=8191 Len=0
   20   3.220819  10.26.10.12 → 10.26.10.10  TCP 60 135 → 58096 [FIN, ACK] Seq=1 Ack=2 Win=8191 Len=0
   23   3.220966  10.26.10.12 → 10.26.10.10  TCP 60 49669 → 58099 [ACK] Seq=1 Ack=2 Win=8192 Len=0
   24   3.220967  10.26.10.12 → 10.26.10.10  TCP 60 49669 → 58098 [FIN, ACK] Seq=1 Ack=2 Win=8193 Len=0
   26   3.221254  10.26.10.12 → 10.26.10.10  TCP 60 49669 → 58099 [FIN, ACK] Seq=1 Ack=2 Win=8192 Len=0
   28   3.467931  10.26.10.12 → 10.26.10.10  NTP 166 NTP Version 3, symmetric active
   32   3.794714  10.26.10.12 → 10.26.10.10  SMB2 130 Tree Disconnect Request

There are thousands of filters available, you can search them with tshark -G which will print out all the known protocols and related fields.

$ tshark -G | wc -l
223474

Read filters

Read filters allow you to select which packets are to be decoded or saved for later use. Read filters use the same syntax as display filters do.

Read filter is specified with the -R switch.

Two-pass analysis causes tshark to buffer output until the entire first pass is done, but allows it to fill in fields that require future knowledge, such as ‘response in frame #’ fields. Also permits reassembly frame dependencies to be calculated correctly.

Two-pass analysis is specified with the -2 switch .

Use of read filters (-R) without -2 is deprecated.

Save all DNS traffic to new file

$ tshark -r capture.pcap -2 -R dns -w dns.pcap
$ tshark -r dns.pcap | head
 8157 20747.963305  10.26.10.10 → 8.8.8.8      DNS 119 Standard query 0x32ec A global.asimov.events.data.trafficmanager.net OPT
 8158 20747.980132      8.8.8.8 → 10.26.10.10  DNS 191 Standard query response 0x32ec A global.asimov.events.data.trafficmanager.net CNAME onedscolprdwus00.westus.cloudapp.azure.com A 20.189.173.1 OPT

$ tshark -r capture.pcap -2 -R http.request.method=="POST" 
    1  53.009718  10.26.10.20 → 184.85.154.29 HTTP/XML 1478 POST /fwlink/?LinkID=252669&clcid=0x409 HTTP/1.1
    2  53.049018  10.26.10.20 → 20.86.173.234 HTTP/XML 1478 POST /metadata.svc HTTP/1.1

Ok, that’s it. Hopefully you got something out of this and I’ll see you in next post.