Hacking Articles

Raj Chandel's Blog

CTF Challenges Web Penetration Testing Red Teaming Penetration Testing Courses We Offer Donate us

POST CATEGORY : Penetration Testing

Search
ENTER KEYWORD

Comprehensive Guide to tcpdump (Part 2)

posted in PENETRATION TESTING on MARCH 19, 2020 by RAJ CHANDEL with 1 COMMENT Subscribe to Blog via
Email
In the previous article of tcpdump, we learned about some basic functionalities of Email Address
this amazing tool called tcpdump. If you haven’t check until now, click here. 
Hence, in this part, we will cover some of the advance options and data types. So SUBSCRIBE
that we can analyze our data traffic in a much faster way.

Table of Content
Follow me on Twitter
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Link level header Hacking Articles
Parsing and printing @rajchandel

User scan Happy Birthday Hacking Articles

Timestamp precision
An organization no matter how well
Force packets designed, is only as good as the people who
live and work in it. You gave this wonderful
RADIUS (Remote Authentication Dial-in User Service)
10 year of togetherness, happiness, sharing
AODV (Ad-hoc On-demand Distance Vector protocol) of knowledge.
RPC (Remote Procedure Call)
CNFP (Cisco NetFlow Protocol)
LMP (Link Management Protocol)
PGM (Pragmatic General Multicast)
RTP (Real-Time Application Protocol)
RTCP (Real-Time Application Control Protocol)
SNMP (Simple Network Management Protocol)
TFTP (Trivial File Transfer Protocol)
15h
VAT (Visual Audio Tool)
WB (Distributed White Board) Embed View on Twitter
VXLAN (Virtual Xtensible Local Area Network)

Promiscuous mode
No promiscuous mode

Link Level Header

Tcpdump provides us with the option to showcase link-level headers of each data
packets. We are using -e parameter to get this information in our data traffic
result. Generally, by using this parameter, we will get MAC address for protocols
such as Ethernet and IEEE 802.11.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1 tcpdump -i eth0 -c5
2 tcpdump -i eth0 -c5 -e

Categories
 BackTrack 5 Tutorials

 Cryptography & Stegnography

Parsing and Printing  CTF Challenges

As we all know that, the conversation of a concrete syntax to the abstract syntax  Cyber Forensics

is known as parsing. The conversation of an abstract syntax to the concrete syntax  Database Hacking
is called unparsing or printing. Now to parse a data packet we can use -x  Footprinting
parameter and to print the abstracted syntax, we can use -xx parameter. In  Hacking Tools
addition to printing the headers of each data packets, we can also print the packet  Kali Linux
in hex along with its snaplen.  Nmap
1 tcpdump -i eth0 -c 2 -x  Others
2 tcpdump -i eth0 -c 2 -xx
 Penetration Testing

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Privilege Escalation

 Red Teaming

 Social Engineering Toolkit

 Trojans & Backdoors

 Uncategorized
 Website Hacking

 Window Password Hacking

 Wireless Hacking

Articles
Select Month 

If we want this information provided by -x parameter along with their ASCII code
then we need to use -X parameter and if we want the results of -xx parameter

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
along with their ASCII codes then we need to use -XX parameter. To use these
parameters in our Data analysis, use the following commands:

1 tcpdump -i eth0 -c 2 -X
2 tcpdump -i eth0 -c 2 -XX

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
User scan
If we are running tcpdump as root then before opening any saved file for analysis,
you will observe that it changes the user ID to the user and the group IDs to the
primary group of its users.

Tcpdump provides us -Z parameter, through which we can overcome this issue but
we need to provide the user name like the following:

1 tcpdump -i eth0 -c 2 -Z root

2 tcpdump -i eth0 -c 2 -Z kali

There is one more way to do this, i.e. with the help of –relinquish-privileges=
parameter.  

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Timestamp Precision
Timestamp is the time registered to a file, log or notification that can record when
data is added, removed, modified or transmitted. In tcpdump, there are plenty of
parameters that move around timestamp values like -t, -tt, -ttt, -tttt, -ttttt,
where each parameter has its unique working and efficiency.

-t parameter which must don’t print a timestamp on each dump line.

-tt parameter which can print timestamp till seconds.
-ttt parameter which can print a microsecond or nanosecond resolution
depending upon the time stamp precision between the current and previous
line on each dump line. Where microsecond is a default resolution.
-tttt parameter which can print a timestamp as hours, minutes, seconds and
fractions of seconds since midnight.
-ttttt parameter which is quite similar to the -ttt It can able to delta
between current and first line on each dump line.

To apply these features in our scan we need to follow these commands:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1 tcpdump -i eth0 -c 2
2 tcpdump -i eth0 -c 2 -t
3 tcpdump -i eth0 -c 2 -tt
4 tcpdump -i eth0 -c 2 -ttt
5 tcpdump -i eth0 -c 2 -tttt
6 tcpdump -i eth0 -c 2 -ttttt

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Force Packets
In tcpdump, we can force our scan of data traffic to show some particular
protocol. When using the force packet feature, defined by selected any
“expression” we can interpret specified type. With the help of the -T parameter, we
can force data packets to show only the desired protocol results.

The basic syntax of all force packets will remain the same as other parameters -T
followed by the desired protocol. Following are some protocols of force packets:

RADIUS
RADIUS stands for Remote Authentication Dial-in User Service. It is a network
protocol, which has its unique port number 1812, provides centralized
authentication along with authorization and accounting management for its users
who connect and use the network services. We can use this protocol for our scan.
1 tcpdump -i eth0 -c5 -T radius

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
AODV
Adhoc On-demand Distance Vector protocol is a routing protocol for mobile ad
hoc networks and other wireless networks. It is a routing protocol that is used for
a low power and low data rate for wireless networks. To see these results in our
scan follow.
1 tcpdump -i eth0 -c5 -T aodv

RPC 
A remote procedure call, it is a protocol that one program can use to request
service from a program located in another computer on a network without having
to understand the network details. A procedure call is also known as a function
call. For getting this protocol in our scan use the following command:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1 tcpdump -i eth0 -c5 -T rpc

CNFP 
Cisco NetFlow protocol, it is a network protocol developed by cisco for the
collection and monitoring of network traffic, flow data generated by NetFlow
enabled routers and switches. It exports traffic statistics as they record which are
then collected by its collector. To get these detailed scans follow this command.

1 tcpdump -i eth0 -c5 -T cnfp

LMP

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Link Management Protocol, it is designed to ease the configuration and
management of optical network devices. To understand the working of LMP in our
network, we need to apply this protocol in our scan.
1 tcpdump -i eth0 -c5 -T lmp

PGM 
Pragmatic general multicast, it is a reliable multicast network transport protocol.
It can provide a reliable sequence of packets to multiple recipients simultaneously.
Which further makes it suitable for a multi-receiver file-transfer. To understand its
working in our data traffic follows.

1 tcpdump -i eth0 -c5 -T pgm

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
RTP
Real-time application protocol, it can code multimedia data streams such as
audio or video. It divides them into packets and transmits them over an IP
network. To analyze this protocol in our traffic we need to follow this command:
1 tcpdump -i eth0 -c5 -T rtp

RTCP 
Real-time application control protocol, this protocol has all the capabilities of RTP
along with additional control. With the help of this feature, we can control its
working in our network environment. To understand the working of this protocol in
our data traffic apply these commands.
1 tcpdump -i eth0 -c5 -T rtcp

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
SNMP 
Simple Network Management Protocol, is an Internet standard protocol for
collecting and organizing information about managed devices on IP networks for
modifying that information to change device behavior. To see its working in our
traffic, apply this command.

1 tcpdump -i eth0 -c5 -T snmp

TFTP
Trivial File Transfer Protocol, is a simple lockstep File transfer protocol that allows
its client to get a file from a remote host. It is used in the early stages of node
booting from a local area network. To understand its traffic, follow this command.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1 tcpdump -i eth0 -c5 -T tftp

VAT
Visual Audio Tool, is developed by Van Jacobson and Steven McCanne. It is an
electronic media processing for both sound and a visual component. To
understand its data packets in our traffic we need to apply these commands.
1 tcpdump -i eth0 -c5 -T vat

WB
Distributed whiteboard, the program allows its users to draw and type the
messages onto canvas, this should be synchronized to every other user that is on
the same overlay network for the applications. New users should also receive

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
everything that is already stored on the whiteboard when they connect. To
understand its data packets, follow this command.
1 tcpdump -i eth0 -c5 -T wb

VXLAN
Virtual Xtensible Local Area Network, is a network virtualization tech that
attempts to address the scalability problems associated with a large cloud
computing area. It is a proposed Layer 3 encapsulation protocol that will make it
easier for network engineers to scale-out cloud computing. To understands its
data traffic follows these commands.
1 tcpdump -i eth0 -c5 -T vxlan

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
These are some of the protocol which is used under forced packets parameter to
get the fixed desired data traffic from scan.

Promiscuous Mode
In computer networks, promiscuous mode is used as an interface controller that
will cause tcpdump to pass on the traffic it receives to the CPU rather than passing
it to the promiscuous mode, is normally used for packet sniffing that can take
place on a part of LAN or router.

To configure promiscuous mode by following these commands.

1 ifconfig eth0 promisc

2 ifconfig eth0

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
After enabling the promiscuous mode in our network, let us capture some packets
with the help of this by applying these commands.
1 tcpdump -i eth0 -c 10

No Promiscuous Mode
In the previous parameter, we learned about the promiscuous mode that means a
network interface card will pass all frames received to the OS for processing versus
the traditional operation where only frames destined for the NIC’s MAC address or
a broadcast address will be passed up to the OS. Generally, promiscuous mode is

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
used to “sniff” all traffic on the wire. But if we want to switch to multicast mode
against the promiscuous mode. Then we need to use –no-promiscuous-mode
parameter, which helps us to which the mode without changing the network
settings.
1 tcpdump -i eth0 -c 5 --no-promiscuous-mode

This is the second part of the series. So, get familiar with these features and stay
tuned for some advance features of tcpdump in our next article.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher, Contact

Linkedin and twitter.

Comprehensive Guide to tcpdump (Part 1)

posted in PENETRATION TESTING on MARCH 19, 2020 by RAJ CHANDEL with 0 COMMENT

In this article, we are going to learn about tcpdump. It is a powerful command-

line tool for network packet analysis. Tcpdump helps us troubleshoot the network
issues as well as help us analyze the working of some security tools.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Table of Content
Introduction
Available Options
List of interfaces
Default working
Capturing traffic of a particular interface
Packet count
Verbose mode
Printing each packet in ASCII
Don’t convert address
Port filter
Host filter
The header of each packet
TCP sequence number
Packet filter
Packet Direction
Live number count
Read and Write in a file
Snapshot length
Dump mode

Introduction
Tcpdump was originally developed in 1988 by Van Jacobson, Sally Floyd, Vern
Paxson, and Steven McCanne. They worked at the Lawrence Berkeley Laboratory
Network Research Group.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
It allows its users to display the TCP/IP and other packets being received and
transmitted over the network. It works on most of the Linux based operating
systems. It uses the libpcap library to capture packets, which is a C/C++ based
library. Tcpdump has a windows equivalent as well. It is named windump. It uses a
winpcap for its library.

Available Options
We can use the following parameter to print the tcpdump and libpcap version
strings. Also, we can print a usage message that shows all the available options.
1 tcpdump -h
2 tcpdump --help

List of interfaces
An interface is the point of interconnection between a computer and a network. We
can use the following parameter to print the list of the network interfaces
available on the system. It can also detect interfaces on which tcpdump can
capture packets. For each network interface, a number is assigned. This number
can be used with the ‘-i’ parameter to capture packets on that particular interface.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
There might be a scenario where the machine that we are working on, is unable to
list the network interfaces it is running. This can be a compatibility issue or
something else hindering the execution of some specific commands (ifconfig -a).
1 tcpdump –list-interface
2 tcpdump -D

Default Capture
Before moving onto to advanced options and parameters of this network traffic
capture tool let’s first do a capture with the default configurations.
1 tcpdump

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Capturing traffic of a particular interface
We will be capturing traffic using the ethernet network which is known as “eth0”.
This type of interface is usually connected to the network by a category 5 cable.

To select this interface we need to use -i parameter.

1 tcpdump -i eth0

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Packet count
Tcpdump has some amazing features which we can use to make our traffic
analysis more efficient. We can access some of these features using various
parameters. We use the -c parameter, it will help us to capture the exact amount
of data that we need and display those. It refines the amount of data we
captured.

1 tcpdump -i eth0 -c10

Verbose mode
The verbose mode provides information regarding the traffic scan. For example,
time to live(TTL), identification of data, total length and available options in IP
packets. It enables additional packet integrity checks such as verifying the IP and
ICMP headers.

To get extra information from our scan we need to use -v parameter.

1 tcpdump -i eth0 -c 5 -v

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Printing each packet in ASCII
ASCII is the abbreviation of the American Standard Code for Information
Interchange. It is a character encoding standard for electronic communication.
ASCII codes represent the text in computers and other devices. Most of the modern
character encoding techniques were based on the ASCII codes. To print each packet
in ASCII code we need to use -A parameter.
1 tcpdump -i eth0 -c 5 -A

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Don’t convert address
With the help of the tcpdump -nn parameter, we can see the actual background
address without any filters. This feature helps us to understand the data traffic
better without any filters.
1 tcpdump -i eth0 -c 5
2 tcpdump -i eth0 -c 5 -nn

Port filter
Port filter helps us to analyze the data traffic of a particular port. It helps us to
monitor the destination ports of the TCP/UDP or other port-based network
protocols.
1 tcpdump -i eth0 -c 5 -v port 80

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Host filter
This filter helps us to analyze the data traffic of a particular host. It also allows us
to stick to a particular host through which further makes our analyzing better.
Multiple parameters can also be applied, such as -v, -c, -A,-n, to get extra
information about that host.
1 tcpdump host 104.28.6.89 -c10 -A -n

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
The header of each packet
The header contains all the instructions given to the individual packet about the
data carried by them. These instructions can be packet length, advertisement,
synchronization, ASCII code, hex values, etc. We can use -X parameter to see this
information on our data packets.
1 tcpdump -i eth0 -c 3 -X

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
TCP sequence number
All bytes in TCP connections has there sequence number which is a randomly
chosen initial sequence number (ISN). SYN packets have one sequence number, so
data will begin at ISN+1. The sequence number is the byte number of data in the
TCP packet that is sent forward. -S parameter is used to see these data segments
of captured packets.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1 tcpdump -i eth0 -nnXS

Packet filter

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Another feature that is provided by tcpdump is packet filtering. This helps us to see
the packet results on a particular data packet in our scan. If we want to apply this
filter in our scan we just need to add the desired packet in our scan.

1 tcpdump -i eth0 icmp -c 10

Packet directions
To the direction of data flow in our traffic, we can use the following parameter :
1 tcpdump -i eth0 icmp -c 5 -Q in

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
To see all the requests which we are sending to the server  following (- Q out)
parameter can be used:
1 tcpdump -i eth0 icmp -c 5 -Q out

Live number count

We can apply live number count feature to see how many packets were scanned or
captured during the data traffic scans. –number parameter is used to count the
number of packets that are being captured in a live scan. We also compared
packet count to live number count to see its accuracy.

Read and write in a file

In tcpdump, we can write and read into a .pcap extension file. Write (-w) allow us
to write raw data packets that we have as an output to a standard .pcap
extension file. Where as read option (-r) helps us to read that file. To write output
in .pcap follow:
1 tcpdump -i eth0 icmp -c 10 -w file.pcap

To read this .pcap file we follow:

1 tcpdump -r file.pcap

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Snapshot length
Snapshot length/snaplen is referred to as the bytes of data from each packet. It is
by default set on the 262144 bytes. With tcpdump, we can adjust this limit to our
requirement to better understand it in each snap length. -s parameter helps us to
do it just apply -s parameter along with the length of bytes.
1 tcpdump -i eth0 icmp -s10 -c2
2 tcpdump -i eth0 icmp -s25 -c2
3 tcpdump -i eth0 icmp -s40 -c2
4 tcpdump -i eth0 icmp -s45 -c2

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Dump mode
Dump mode has multiple parameters like -d, -dd, -ddd. Where -d parameter,
dumps the compiled matching code into a readable output, -dd parameter, dumps
the code as a C program fragment. -ddd parameter and dumps code as a decimal
number with a count. To see these results in our scan we need to follow:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1 tcpdump -i eth0 -c 5 -d
2 tcpdump -i eth0 -c 5 -dd
3 tcpdump -i eth0 -c 5 -ddd

This is our first article in the series of a comprehensive guide to tcpdump. Which is
based on some basic commands of tcpdump. Stay tuned for more advance option
in this amazing tool.

Author: Shubham Sharma is a Pentester and a Cybersecurity Researcher, contact

LinkedIn and Twitter.  

Beginners Guide to TShark (Part 3)

posted in PENETRATION TESTING on FEBRUARY 28, 2020 by RAJ CHANDEL with 1 COMMENT

This is the third instalment in the Beginners Guide to TShark Series. Please find the
first and second instalments below.

Beginners Guide to TShark (Part 1)

Beginners Guide to TShark (Part 2)

TL; DR

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
In this part, we will understand the reporting functionalities and some additional
tricks that we found while tinkering with TShark.

Table of Content

Version Information
Reporting Options
Column Formats
Decodes
Dissector Tables
Elastic Mapping
Field Count
Fields
Fundamental Types
Heuristic Decodes
Plugins
Protocols
Values
Preferences
Folders

PyShark
Installation
Live Capture
Pretty Representation
Captured Length Field
Layers, Src and Dst Fields

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Promisc Capture

Version Information
Let’s begin with the very simple command so that we can understand and
correlate that all the practicals performed during this article and the previous
articles are of the version depicted in the image given below. This parameter prints
the Version information of the installed TShark.
1 tshark -v

Reporting Options
During any Network capture or investigation, there is a dire need of the reports so
that we can share the findings with the team as well as superiors and have a

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
validated proof of any activity inside the network. For the same reasons, TShark
has given us a beautiful option (-G). This option will make the TShark print a list
of several types of reports that can be generated. Official Manual of TShark used
the word Glossaries for describing the types of reports.
1 tshark -G help

Column Formats
From our previous practicals, we saw that we have the Column Formats option
available in the reporting section of TShark. To explore its contents, we ran the
command as shown in the image given below. We see that it prints a list of

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
wildcards that could be used while generating a report. We have the VLAN id,
Date, Time, Destination Address, Destination Port, Packet Length, Protocol, etc.

1 tshark -G column-formats

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Decodes
This option generates 3 Fields related to Layers as well as the protocol decoded.
There is a restriction enforced for one record per line with this option. The first field
that has the “s1ap.proc.sout” tells us the layer type of the network packets.
Followed by that we have the value of selector in decimal format. At last, we have
the decoding that was performed on the capture. We used the head command as
the output was rather big to fit in the screenshot.
1 tshark -G decodes | head

Dissector Tables
Most of the users reading this article are already familiar with the concept of
Dissector. If not, in simple words Dissector is simply a protocol parser. The output
generated by this option consists of 6 fields. Starting from the Dissector Table
Name then the name is used for the dissector table in the GUI format. Next, we
have the type and the base for the display and the Protocol Name. Lastly, we have
the decode as a format.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Elastic Mapping
Mapping is the outline of the documents stored in the index. Elasticsearch supports
different data types for the fields in a document. The elastic-mapping option of
the TShark prints out the data stored inside the ElasticSearch mapping file. Due to
a large amount of data getting printed, we decided to use the head command as
well.
1 tshark -G elastic-mapping | head

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Field Count
There are times in a network trace, where we need to get the count of the header
fields travelling at any moment. In such scenarios, TShark got our back. With the
fieldcount option, we can print the number of header fields with ease. As we can
observe in the image given below that we have 2522 protocols and 215000 fields
were pre-allocated.
1 tshark -G fieldcount

Fields

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
TShark can also get us the contents of the registration database. The output
generated by this option is not as easy to interpret as the others. For some users,
they can use any other parsing tool for generating a better output. Each record in
the output is a protocol or a header file. This can be differentiated by the First field
of the record. If the Field is P then it is a Protocol and if it is F then it’s a header
field. In the case of the Protocols, we have 2 more fields. One tells us about the
Protocol and other fields show the abbreviation used for the said protocol. In the
case of Header, the facts are a little different. We have 7 more fields. We have the
Descriptive Name, Abbreviation, Type, Parent Protocol Abbreviation, Base for
Display, Bitmask, Blurb Describing Field, etc.
1 tshark -G fields | head

Fundamental Types
TShark also helps us generate a report centralized around the fundamental types
of network protocol. This is abbreviated as ftype. This type of report consists of
only 2 fields. One for the FTYPE and other for its description.

1 tshark -G ftypes

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Heuristic Decodes
Sorting the Dissectors based on the heuristic decodes is one of the things that need
to be easily and readily available. For the same reason, we have the option of
heuristic decodes in TShark. This option prints all the heuristic decodes which are
currently installed. It consists of 3 fields. First, one representing the underlying
dissector, the second one representing the name of the heuristic decoded and the
last one tells about the status of the heuristic. It will be T in case it is heuristics
and F otherwise.
1 tshark -G heuristic-decodes

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Plugins

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Plugins are a very important kind of option that was integrated with Tshark
Reporting options. As the name states it prints the name of all the plugins that
are installed. The field that this report consists of is made of the Plugin Library,
Plugin Version, Plugin Type and the path where the plugin is located.
1 tshark –G plugins

Protocols
If the users want to know the details about the protocols that are recorded in the
registration database then, they can use the protocols parameter. This output is
also a bit less readable so that the user can take the help of any third party tool
to beautify the report. This parameter prints the data in 3 fields. We have the
protocol name, short name, and the filter name.
1 tshark –G protocols | head

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Values
Let’s talk about the values report. It consists of value strings, range strings,
true/false strings. There are three types of records available here. The first field
can consist of one of these three characters representing the following:

V: Value Strings

R: Range Strings

T: True/False Strings

Moreover, in the value strings, we have the field abbreviation, integer value, and
the string. In the range strings, we have the same values except it holds the lower
bound and upper bound values.
1 tshark –G values | head

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Preferences
In case the user requires to revise the current preferences that are configured on
the system, they can use the currentprefs options to read the preference saved in
the file.
1 tshark –G currentprefs | head

Folders
Suppose the user wants to manually change the configurations or get the program
information or want to take a look at the lua configuration or some other

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
important files. The users need the path of those files to take a peek at them. Here
the folders option comes a little handy.
1 tshark –G folders

Since we talked so extensively about TShark, It won’t be justice if we won’t talk

about the tool that is heavily dependent on the data from TShark. Let’s talk about
PyShark.

PyShark
It is essentially a wrapper that is based on Python. Its functionality is that allows
the python packet parsing using the TShark dissectors. Many tools do the same job
more or less but the difference is that this tool can export XMLs to use its parsing.
You can read more about it from its GitHub page.

Installation

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
As the PyShark was developed using Python 3 and we don’t Python 3 installed on
our machine. We installed Python3 as shown in the image given below.
1 apt install python3

PyShark is available through the pip. But we don’t have the pip for python 3 so we
need to install it as well.
1 apt install python3-pip

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Since we have the python3 with pip we will install pyshark using pip command.
You can also install PyShark by cloning the git and running the setup.

1 pip3 install pyshark

Live Capture

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Now to get started, we need the python interpreter. To get this we write python3
and press enter. Now that we have the interpreter, the very first thing that we plan
on doing is importing PyShark. Then we define network interface for the capture.
Followed by that we will define the value of the timeout parameter for the
capture.sniff function. At last, we will begin the capture. Here we can see that in
the timeframe that we provided PyShark captured 9 packets.
1 python3
2 import pyshark
3 capture = pyshark.LiveCapture(interface=’eth0’)
4 capture.sniff(timeout=5)
5 capture

Pretty Representation
There are multiple ways in which PyShark can represent data inside the captured
packet. In the previous practical, we captured 9 packets. Let’s take a look at the
first packet that was captured with PyShark. Here we can see that we have a
layer-wise analysis with the ETH Layer, IP Layer, and the TCP Layer. 
1 capture[1].pretty_print()

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Captured Length Field
In our capture, we saw some data that can consist of multiple attributes. These
attributes need fields to get stored. To explore this field, we will be using the dir
function in Python. We took the packet and then defined the variable named pkt
with the value of that packet and saved it. Then using the dir function we saw
explored the fields inside that particular capture. Here we can see that we have
the pretty_print function which we used in the previous practical. We also have
one field called captured_length to read into that we will write the name of the
variable followed by the name of the field with a period (.) in between as depicted
in the image below.    
1 capture[2]
2 pkt = capture[2]
3 pkt
4 dir(pkt)
5 pkt.captured_length

Layers, Src and Dst Fields

As we listed the fields in the previous step we saw that we have another field
named layers. We read its contents as we did earlier to find out that we have 3

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
layers in this capture. Now to look into the individual layer, we need to get the
fields of that individual layer. For that, we will again use the dir function. We used
the dir function on the ETH layer as shown in the image given below. We observe
that we have a field named src which means source, dst which means destination.
We checked the value on those fields to find the physical address of the source and
destination respectively.  
1 pkt.layers
2 pkt.eth.src
3 pkt.eth.dst
4 pkt.eth.type

For our next step, we need the fields of the IP packet. We used the dir function on
the IP layer and then we use src and dst fields here on this layer. We see that we
have the IP Address as this is the IP layer. As the Ethernet layer works on the MAC
Addresses they store the MAC Addresses of the Source and the Destination which
changes when we come to the IP Layer.
1 dir(pkt.ip)
2 pkt.ip.src

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
3 pkt.ip.dst
4 pkt.ip.pretty_print()

Similarly, we can use the dir function and the field’s value on any layer of the
capture. This makes the investigation of the capture quite easier.

Promisc Capture

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
In previous articles we learned about the promisc mode that means that a
network interface card will pass all frames received up to the operating system for
processing, versus the traditional mode of operation wherein only frames destined
for the NIC’s MAC address or a broadcast address will be passed up to the OS.
Generally, promiscuous mode is used to “sniff” all traffic on the wire. But we got
stuck when we configured the network interface card to work on promisc mode. So
while capturing traffic on TShark we can switch between the normal capture and
the promisc capture using the –p parameter as shown in the image given below.
1 ifconfig eth0 promisc
2 ifconfig eth0
3 tshark -i eth0 -c 10
4 tshark -i eth0 -c  10 -p

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast,
contact here.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Beginners Guide to TShark (Part 2)
posted in PENETRATION TESTING on FEBRUARY 19, 2020 by RAJ CHANDEL with 0 COMMENT

In the previous article, we learned about the basic functionalities of this wonderful
tool called TShark. If you haven’t read it until now. Click here.

TL; DR

In this part, we will the Statistical Functionalities of TShark. We will understand

different ways in which we can sort our traffic capture so that we can analyse it
faster and effectively.

Table of Content
Statistical Options
Protocol Hierarchy Statistics
Read Filter Analysis
Endpoints Analysis
Conversation Analysis
Expert Mode Analysis
Packet Distribution Tree
Packet Length Tree
Color Based Output Analysis
Ring Buffer Analysis
Auto-Stop
Duration
File Size

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Data-Link Types

Statistical Options
TShark collects different types of Statistics and displays their result after finishing
the reading of the captured file. To accomplish this, we will be using the “-z”
parameter with TShark. Initially, to learn about all the different options inside the
“-z” parameter, we will be running the TShark with the “-z” parameter followed by
the help keyword. This gives us an exhaustive list of various supported formats as
shown in the image given below.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Protocol Hierarchy Statistics
Using the TShark we can create a Protocol based Hierarchy Statistics listing the
number of packets and bytes using the “io,phs” option in the “-z” parameter. In the
case where no filter is given after the “io,phs” option, the statistics will be
calculated for all the packets in the scope. But if a specific filter is provided than
the TShark will calculate statistics for those packets that match the filter provided
by the user. For our demonstration, we first captured some traffic and wrote the
contents on a pcap file using the techniques that we learned in part 1 of this
article series. Then we will be taking the traffic from the file, and then sort the
data into a Protocol Hierarchy.  Here we can observe that we have the frames
count, size of packets in bytes and the Protocol used for the transmission.
1 tshark  -r wlan.pcap -z io,phs

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Read Filter Analysis

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
During the first pass analysis of the packet, the specified filter (which uses the
syntax of read/display filters, rather than that of capture filters) has to be applied.
Packets which are not matching the filter are not considered for future passes. This
parameter makes sense with multiple passes. Note that forward-looking fields
such as ‘response in frame #’ cannot be used with this filter since they will not
have been calculated when this filter is applied. The “-2” parameter performs a
two-pass analysis. This causes TShark to buffer output until the entire first pass is
done, but allows it to fill in fields that require future knowledge, it also permits
reassembly frame dependencies to be calculated correctly. Here we can see two
different analysis one of them is first-pass analysis and the latter is the two-pass
analysis.

1 tshark -r wlan.pcap -z io,phs,udp -q

2 tshark -r wlan.pcap -z io,phs -q -2 -R udp

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Endpoints Analysis

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Our next option which helps us with the statistics is the “endpoints”. It will create a
table that will list all endpoints that could be seen in the capture. The type
function which can be used with the endpoint option will specify the endpoint type
for which we want to generate the statistics.

The list of Endpoints that are supported by TShark is:

Sno. Filter Description

1 “bluetooth” Bluetooth Addresses

2 “eth” Ethernet Addresses

3 “fc” Fiber Channel Addresses

4 “fddi” FDDI Addresses

5 “ip” IPv4 Addresses

6 “ipv6” IPv6 Addresses

7 “ipx” IPX Addresses

8 “jxta” JXTS Addresses

9 “ncp” NCP Addresses

10 “rsvp” RSVP Addresses

11 “sctp” SCTP Addresses

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
12 “tcp” TCP/IP socket pairs Both IPv4 and
IPv6 supported

13 “tr” Token Ring Addresses

14 “usb” USB Addresses

UDP/IP socket pairs Both IPv4 and

15 “udp”
IPv6 supported

16 “wlan” IEEE 802.11 addresses

In case that we have specified the filter option then the statistics calculations are
done for that particular specified filter. The table like the one generated in the
image shown below is generated by picking up single line form each conversation
and displayed against the number of packets per byte in each direction as well as
the total number of packets per byte. This table is by default sorted according to
the total number of frames.

1 tshark -r wlan.pcap -z endpoints,wlan -q | head

Conversation Analysis

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Let’s move on to the next option which is quite similar to the previous option. It
helps us with the statistics is the “conversation”. It will create a table that will list
all conversation that could be seen in the capture. The type function which can be
used with the conversation option will specify the conversation type for which we
want to generate the statistics.

If we have specified the filter option then the statistics calculations are done for
that particular specified filter. The table generated by picking up single line form
each conversation and displayed against the number of packets per byte in each
direction, the total number of packets per byte as well as the direction of the
conversation travel. This table is by default sorted according to the total number
of frames.
1 tshark -r wlan.pcap -z conv,wlan -q | head

Expert Mode Analysis

The TShark Statistics Module have an Expert Mode. It collects a huge amount of
data based on Expert Info and then prints this information in a specific order. All
this data is grouped in the sets of severity like Errors, Warnings, etc., We can use
the expert mode with a particular protocol as well. In that case, it will display all
the expert items of that particular protocol.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1 tshark -r wlan.pcap -z expert -q | head

Packet Distribution Tree

In this option, we take the traffic form a packet and then drive it through the
“http,tree” option under the “-z” parameter to count the number of the HTTP
requests, their mods as well as the status code. This is a rather modular approach
that is very easy to understand and analyse. Here in our case, we took the packet
that we captured earlier and then drove it through the tree option that gave us the
Information that a total of 126 requests were generated out of which 14 gave back
the “200 OK”. It means that the rest of them either gave back an error or were
redirected to another server giving back a 3XX series status code.
1 tshark -r wlan.pcap -z http,tree -q

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Packet Length Tree
As long as we are talking about the Tree option, let’s explore it a bit. We have a
large variety of ways in which we can use the tree option in combination with
other option. To demonstrate that, we decided to use the packet length option
with the tree option. This will sort the data on the basis of the size of the packets
and then generate a table with it. Now, this table will not only consist of the
length of the packets, but it will also have the count of the packet. The minimum
value of the length in the range of the size of the packets. It will also calculate the
size as well as the Percentage of the packets inside the range of packet length
1 tshark -r wlan.pcap -z plen,tree -q

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Color Based Output Analysis
Note: Your terminal must support color output in order for this option to work
correctly.

We can enable the coloring of packets according to standard Wireshark color

filters. On Windows, colors are limited to the standard console character attribute
colors. In this option, we can set up the colors according to the display filter. This
helps in quickly locating a specific packet in the bunch of similar packets. It also
helps in locating Handshakes in communication traffic. This can be enabled using
the following command.
1 tshark -r color.pcap --color

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Ring Buffer Analysis
By default, the TShark to runs in the “multiple files” mode. In this mode, the
TShark writes into several capture files. When the first capture file fills up to a
certain capacity, the TShark switches to the next file and so on. The file names that
we want to create can be stated using the -w parameter. The number of files,

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
creation data and creation time will be concatenated with the name provided next
to -w parameter to form the complete name of the file.

The files option will fill up new files until the number of files is specified. at that
moment the TShark will discard data in the first file and start writing to that file
and so on. If the files option is not set, new files filled up until one of the captures
stops conditions matches or until the disk is full.

There are a lot of criteria upon which the ring buffer works but, in our
demonstration, we used 2 of them. Files and the Filesize.

files: value begin again with the first file after value number of files were written
(form a ring buffer). This value must be less than 100000.

filesize: value switches to the next file after it reaches a size of value kB. Note that
the file size is limited to a maximum value of 2 GiB.
1 tshark -I eth0 -w packetsbuffer.pcap -b filesize:1 -b file:3

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Auto-Stop
Under the huge array of the options, we have one option called auto-stop. As the
name tells us that it will stop the traffic capture after the criteria are matched.

Duration

We have a couple of options, in our demonstration, we used the duration criteria.

We specified the duration to 10. This value is in seconds. So, the capture tells us
that in the time of 10 seconds, we captured 9 packets.
1 tshark -i eth0 -a duration:10

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
File Size

Now another criterion for the auto-stop option is the file size. The TShark will stop
writing to the specified capture file after it reaches a size provided by the user. In
our demonstration, we set the filesize to 1. This value is in kB. We used the
directory listing command to show that the capture was terminated as soon as the
file reached the size of 1 kB.
1 tshark -i eth0 -w 1.pcap -a filesize:1

Data-Link Types

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
At last, we can also modify the statistics of the captured traffic data based on the
Data-Link Types. For that we will have to use an independent parameter, “-L”. In
our demonstration, we used the “-L” parameter to show that we have data links
like EN10MB specified for the Ethernet Traffic and others.
1 tshark -L

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast,

contact here.

← OLDER POSTS NEWER POSTS →

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD