| name | analysis-tshark |
| description | Network protocol analyzer and packet capture tool for traffic analysis, security investigations, and forensic examination using Wireshark's command-line interface. Use when: (1) Analyzing network traffic for security incidents and malware detection, (2) Capturing and filtering packets for forensic analysis, (3) Extracting credentials and sensitive data from network captures, (4) Investigating network anomalies and attack patterns, (5) Validating encryption and security controls, (6) Performing protocol analysis for vulnerability research.
|
| version | 0.1.0 |
| maintainer | sirappsec@gmail.com |
| category | offsec |
| tags | ["packet-capture","network-analysis","forensics","tshark","wireshark","traffic-analysis"] |
| frameworks | ["MITRE-ATT&CK","NIST"] |
| dependencies | {"packages":["tshark","wireshark"],"tools":["tcpdump","python3"]} |
| references | ["https://www.wireshark.org/docs/man-pages/tshark.html","https://wiki.wireshark.org/DisplayFilters","https://attack.mitre.org/techniques/T1040/"] |
TShark Network Protocol Analyzer
Overview
TShark is the command-line network protocol analyzer from the Wireshark project. It provides powerful packet capture and analysis capabilities for security investigations, forensic analysis, and network troubleshooting. This skill covers authorized security operations including traffic analysis, credential extraction, malware detection, and forensic examination.
IMPORTANT: Network packet capture may expose sensitive information and must only be conducted with proper authorization. Ensure legal compliance and privacy considerations before capturing network traffic.
Quick Start
Basic packet capture and analysis:
sudo tshark -i eth0
sudo tshark -i eth0 -c 100 -w capture.pcap
tshark -r capture.pcap
tshark -r capture.pcap -Y "http.request.method == GET"
tshark -r capture.pcap --export-objects http,extracted_files/
Core Workflow
Network Analysis Workflow
Progress:
[ ] 1. Verify authorization for packet capture
[ ] 2. Identify target interface and capture requirements
[ ] 3. Capture network traffic with appropriate filters
[ ] 4. Analyze captured packets for security indicators
[ ] 5. Extract artifacts (files, credentials, sessions)
[ ] 6. Document findings and security implications
[ ] 7. Securely handle and store capture files
[ ] 8. Clean up sensitive data per retention policy
Work through each step systematically. Check off completed items.
1. Authorization Verification
CRITICAL: Before any packet capture:
- Confirm written authorization for network monitoring
- Verify legal compliance (wiretapping laws, privacy regulations)
- Understand data handling and retention requirements
- Document scope of capture (interfaces, duration, filters)
- Ensure secure storage for captured data
2. Interface Discovery
Identify available network interfaces:
tshark -D
sudo tshark -D
sudo tshark -i eth0
sudo tshark -i wlan0
sudo tshark -i any
sudo tshark -i eth0 -i wlan0
Interface types:
- eth0/ens33: Ethernet interface
- wlan0: Wireless interface
- lo: Loopback interface
- any: All interfaces (Linux only)
- mon0: Monitor mode interface (wireless)
3. Basic Packet Capture
Capture network traffic:
sudo tshark -i eth0
sudo tshark -i eth0 -c 1000
sudo tshark -i eth0 -a duration:60
sudo tshark -i eth0 -w capture.pcap
sudo tshark -i eth0 -w capture.pcap -b filesize:100000 -b files:5
Capture options:
-c <count>: Capture packet count
-a duration:<sec>: Auto-stop after duration
-w <file>: Write to file
-b filesize:<KB>: Rotate at file size
-b files:<num>: Keep N ring buffer files
4. Capture Filters
Apply BPF (Berkeley Packet Filter) during capture for efficiency:
sudo tshark -i eth0 -f "tcp port 80"
sudo tshark -i eth0 -f "host 192.168.1.100"
sudo tshark -i eth0 -f "net 192.168.1.0/24"
sudo tshark -i eth0 -f "tcp port 80 or tcp port 443"
sudo tshark -i eth0 -f "not port 22"
sudo tshark -i eth0 -f "tcp[tcpflags] & tcp-syn != 0"
Common capture filters:
host <ip>: Traffic to/from IP
net <cidr>: Traffic to/from network
port <port>: Specific port
tcp|udp|icmp: Protocol type
src|dst: Direction filter
and|or|not: Logical operators
5. Display Filters
Analyze captured traffic with Wireshark display filters:
tshark -r capture.pcap -Y "http.request"
tshark -r capture.pcap -Y "http.response"
tshark -r capture.pcap -Y "dns.flags.response == 0"
tshark -r capture.pcap -Y "tls.handshake.type == 1"
tshark -r capture.pcap -Y "tcp.flags.syn==1 and tcp.flags.ack==0"
tshark -r capture.pcap -Y "tcp.flags.reset==1"
Advanced display filters:
tshark -r capture.pcap -Y "http.request.method == POST and (http contains \"password\" or http contains \"username\")"
tshark -r capture.pcap -Y "smb2.cmd == 8 or smb2.cmd == 9"
tshark -r capture.pcap -Y "http.user_agent contains \"python\" or http.user_agent contains \"curl\""
tshark -r capture.pcap -Y "tcp.len > 1400"
tshark -r capture.pcap -Y "http" -T fields -e frame.time_relative -e ip.dst
6. Protocol Analysis
Analyze specific protocols:
HTTP/HTTPS Analysis:
tshark -r capture.pcap -Y "http.request" -T fields -e ip.src -e http.host -e http.request.uri
tshark -r capture.pcap -Y "http.user_agent" -T fields -e ip.src -e http.user_agent
tshark -r capture.pcap -Y "http.response" -T fields -e ip.src -e http.response.code
tshark -r capture.pcap -Y "http.cookie" -T fields -e ip.src -e http.cookie
DNS Analysis:
tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e ip.src -e dns.qry.name
tshark -r capture.pcap -Y "dns.flags.response == 1" -T fields -e dns.qry.name -e dns.a
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | awk 'length > 50'
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.type -e dns.qry.name
TLS/SSL Analysis:
tshark -r capture.pcap -Y "tls.handshake.type == 1" -T fields -e ip.src -e ip.dst -e tls.handshake.extensions_server_name
tshark -r capture.pcap -Y "tls.handshake.certificate" -T fields -e tls.handshake.certificate
tshark -r capture.pcap -Y "tls" -T fields -e tls.record.version
tshark -r capture.pcap -Y "tls.handshake.ciphersuite" -T fields -e tls.handshake.ciphersuite
SMB/CIFS Analysis:
tshark -r capture.pcap -Y "smb2" -T fields -e ip.src -e smb2.filename
tshark -r capture.pcap -Y "ntlmssp" -T fields -e ip.src -e ntlmssp.auth.username
tshark -r capture.pcap -Y "smb2" -T fields -e smb2.cmd
7. Credential Extraction
Extract credentials from network traffic (authorized forensics only):
HTTP Basic Authentication:
tshark -r capture.pcap -Y "http.authbasic" -T fields -e ip.src -e http.authbasic
tshark -r capture.pcap -Y "http.authorization" -T fields -e http.authorization | base64 -d
FTP Credentials:
tshark -r capture.pcap -Y "ftp.request.command == USER" -T fields -e ip.src -e ftp.request.arg
tshark -r capture.pcap -Y "ftp.request.command == PASS" -T fields -e ip.src -e ftp.request.arg
NTLM/Kerberos:
tshark -r capture.pcap -Y "ntlmssp.auth.ntlmv2response" -T fields -e ntlmssp.auth.username -e ntlmssp.auth.domain -e ntlmssp.auth.ntlmv2response
tshark -r capture.pcap -Y "kerberos.CNameString" -T fields -e kerberos.CNameString -e kerberos.realm
Email Credentials:
tshark -r capture.pcap -Y "smtp.req.command == AUTH" -T fields -e ip.src
tshark -r capture.pcap -Y "pop.request.command == USER or pop.request.command == PASS" -T fields -e pop.request.parameter
tshark -r capture.pcap -Y "imap.request contains \"LOGIN\"" -T fields -e imap.request
8. File Extraction
Extract files from packet captures:
tshark -r capture.pcap --export-objects http,extracted_http/
tshark -r capture.pcap --export-objects smb,extracted_smb/
tshark -r capture.pcap --export-objects dicom,extracted_dicom/
tshark -r capture.pcap --export-objects imf,extracted_email/
Manual file reconstruction:
tshark -r capture.pcap -Y "http.response and http.content_type contains \"application/pdf\"" -T fields -e data.data | xxd -r -p > extracted_file.pdf
tshark -r capture.pcap -q -z follow,tcp,ascii,<stream-number>
9. Malware Detection
Identify malicious network activity:
tshark -r capture.pcap -Y "http" -T fields -e frame.time_relative -e ip.dst -e http.host | sort | uniq -c | sort -rn
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | awk -F'.' '{print $(NF-1)"."$NF}' | sort | uniq -c | sort -rn
tshark -r capture.pcap -Y "tcp.flags.syn==1 and tcp.flags.ack==0" -T fields -e ip.src -e ip.dst -e tcp.dstport | sort | uniq -c | sort -rn
tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e ip.src -e http.content_length | awk '$2 > 1000000'
tshark -r capture.pcap -Y "http.response and (http.content_type contains \"application/exe\" or http.content_type contains \"application/x-dosexec\")"
10. Statistics and Reporting
Generate traffic statistics:
tshark -r capture.pcap -q -z io,phs
tshark -r capture.pcap -q -z conv,tcp
tshark -r capture.pcap -q -z conv,udp
tshark -r capture.pcap -q -z conv,ip
tshark -r capture.pcap -q -z http,tree
tshark -r capture.pcap -q -z dns,tree
tshark -r capture.pcap -q -z endpoints,tcp
tshark -r capture.pcap -q -z endpoints,udp
tshark -r capture.pcap -q -z expert
Security Considerations
Authorization & Legal Compliance
- Written Authorization: Obtain explicit permission for network monitoring
- Privacy Laws: Comply with wiretapping and privacy regulations (GDPR, CCPA, ECPA)
- Data Minimization: Capture only necessary traffic for investigation
- Credential Handling: Treat extracted credentials as highly sensitive
- Retention Policy: Follow data retention and secure deletion requirements
Operational Security
- Encrypted Storage: Encrypt capture files at rest
- Access Control: Restrict access to packet captures
- Secure Transfer: Use encrypted channels for capture file transfer
- Anonymization: Remove or redact PII when sharing captures
- Chain of Custody: Maintain forensic integrity for legal proceedings
Audit Logging
Document all packet capture activities:
- Capture start and end timestamps
- Interface(s) captured
- Capture filters applied
- File names and storage locations
- Personnel who accessed captures
- Purpose of capture and investigation findings
- Secure deletion timestamps
Compliance
- MITRE ATT&CK: T1040 (Network Sniffing)
- NIST CSF: DE.AE (Detection Processes - Anomalies and Events)
- PCI-DSS: Network security monitoring requirements
- ISO 27001: A.12.4 Logging and monitoring
- GDPR: Data protection and privacy requirements
Common Patterns
Pattern 1: Incident Response Investigation
sudo tshark -i eth0 -w incident_$(date +%Y%m%d_%H%M%S).pcap -a duration:300
tshark -r incident.pcap -Y "smb2 or rdp or ssh" -T fields -e ip.src -e ip.dst
tshark -r incident.pcap -Y "http or dns" -T fields -e ip.dst -e http.host -e dns.qry.name
tshark -r incident.pcap -Y "ip.dst" -T fields -e ip.dst | sort -u > ioc_ips.txt
tshark -r incident.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort -u > ioc_domains.txt
Pattern 2: Malware Traffic Analysis
sudo tshark -i eth0 -w malware_traffic.pcap
tshark -r malware_traffic.pcap -Y "http.host" -T fields -e ip.src -e http.host -e http.user_agent
tshark -r malware_traffic.pcap -Y "dns" -T fields -e dns.qry.name | awk 'length > 50'
tshark -r malware_traffic.pcap --export-objects http,malware_artifacts/
tshark -r malware_traffic.pcap -Y "http.request.method == POST" -T fields -e data.data
Pattern 3: Credential Harvesting Detection
sudo tshark -i eth0 -Y "(http.authorization or ftp or pop or imap) and not tls" -T fields -e ip.src -e ip.dst
tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e http.file_data > post_data.txt
tshark -r capture.pcap -Y "http contains \"password\" or http contains \"passwd\"" -T fields -e ip.src -e http.request.uri
tshark -r capture.pcap -Y "ntlmssp.auth.ntlmv2response" -T fields -e ntlmssp.auth.username -e ntlmssp.auth.domain -e ntlmssp.auth.ntlmv2response > ntlm_hashes.txt
Pattern 4: Network Forensics
tshark -r capture.pcap -q -z follow,http,ascii,0
tshark -r capture.pcap -T fields -e frame.time -e ip.src -e ip.dst -e tcp.dstport
tshark -r capture.pcap -Y "http.content_type contains \"application/\" or ftp-data" -T fields -e frame.number -e http.content_type
tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e ip.geoip.src_country -e ip.geoip.dst_country
Pattern 5: Wireless Security Assessment
sudo tshark -i mon0 -w wireless_capture.pcap
tshark -r wireless_capture.pcap -Y "wlan.fc.type_subtype == 0x08" -T fields -e wlan.ssid -e wlan.bssid
tshark -r wireless_capture.pcap -Y "wlan.fc.type_subtype == 0x0c"
tshark -r wireless_capture.pcap -Y "eapol"
tshark -r wireless_capture.pcap -Y "wlan.fc.type_subtype == 0x04" -T fields -e wlan.sa -e wlan.ssid
Integration Points
SIEM Integration
Export packet analysis to SIEM platforms:
tshark -r capture.pcap -T ek > packets.json
tshark -r capture.pcap -Y "http" -T json -e ip.src -e ip.dst -e http.host -e http.request.uri
tshark -r capture.pcap -T fields -E separator=, -e frame.time -e ip.src -e ip.dst -e tcp.dstport > packets.csv
Scripting and Automation
#!/bin/bash
INTERFACE="eth0"
ALERT_FILTER="http contains \"cmd.exe\" or dns.qry.name contains \".tk\" or dns.qry.name contains \".xyz\""
sudo tshark -i $INTERFACE -Y "$ALERT_FILTER" -T fields -e frame.time -e ip.src -e ip.dst -e http.host -e dns.qry.name | \
while read line; do
echo "[ALERT] $(date): $line" | tee -a security_alerts.log
echo "$line" | mail -s "Security Alert" soc@company.com
done
Troubleshooting
Issue: "Permission denied" when capturing
Solutions:
sudo tshark -i eth0
sudo usermod -a -G wireshark $USER
sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark
Issue: "No interfaces found"
Solutions:
tshark --version
sudo tshark -D
ip link show
ifconfig -a
Issue: Capture file is huge
Solutions:
sudo tshark -i eth0 -f "not port 22" -w capture.pcap
sudo tshark -i eth0 -w capture.pcap -b filesize:100000 -b files:5
sudo tshark -i eth0 -s 128 -w capture.pcap
Issue: Cannot decrypt TLS traffic
Solutions:
tshark -r capture.pcap -o tls.keylog_file:sslkeys.log -Y "http"
tshark -r capture.pcap -o tls.keys_list:192.168.1.100,443,http,/path/to/server.key
Defensive Considerations
Organizations should protect against unauthorized packet capture:
- Network Segmentation: Reduce exposure to packet sniffing
- Encryption: Use TLS/SSL to protect sensitive data in transit
- Switch Security: Enable port security and DHCP snooping
- Wireless Security: Use WPA3, disable broadcast SSID
- Intrusion Detection: Monitor for promiscuous mode interfaces
- Physical Security: Protect network infrastructure from tap devices
Detect packet capture activity:
- Monitor for promiscuous mode network interfaces
- Detect ARP spoofing and MAC flooding attacks
- Audit administrative access to network devices
- Monitor for unusual outbound data transfers
- Deploy network access control (802.1X)
References