Wednesday, October 15, 2014

The Power of tshark

tshark (the command line version of Wireshark), is a powerful tool for doing network forensics and investigation. For the new intrusion analyst, the GUI may be more comfortable to work in, but as powerful as Wireshark is, it has it's limitations. The larger the pcap file, the longer it will take to load into Wireshark and it's possible to crash the program or even your operating system with too large of a file.

Another limitation is getting those pcaps transferred to you analysis machine, especially if the time frame you need to investigate spans multiple files (or hours or days or weeks).

tshark is uniquely suited to parsing through large amounts of packet data, across multiple files, with all the protocol analyzing power of Wireshark AND allowing you to use every one of Wiresharks 174,000+ display fields.

If you've never worked with tshark before, don't worry. You can start out with some very basic tcpdump-like syntax and then add more filtering and/or fields to display as you go along. 

Before you start, I'd suggest bookmarking the Display Filter Reference for Wireshark, found at here.
There's an even easier way to discover what filters you want to use by actually using a running instance of Wireshark, but I'll address that later. Let's keep it in the dark spaces for now.

A simple tshark command to show you all packets with an ICMP type of 3 (destination unreachable) would be like this:
tshark -r packets1.pcap -Y "icmp.type == 3"

Simple enough. The -r means read a file in instead of sniffing an interface (the same as tcpdump), packets1.pcap is our already captured packet data file, and -Y means use this display filter, which is "icmp.type == 3". 
And here's a sample of what tshark shows:

501732 194.413516 -> ICMP 70 Destination unreachable (Fragmentation needed)

tshark also shows us the ICMP code as well for no extra cost. As we can see the destination unreachable packet was because fragmentation was needed but the Don't Fragment flag was set (refer to IANA's ICMP Parameters doc and look up ICMP Code 4 for Type 3 here.

Had we wanted to see echo requests instead destination unreachables, we would change the "3" to an 8. Echo replies would be a "0" and so forth.

Now we are seeing all default fields coming back from tshark and using just one filter. But we can specify what fields we'd like to see instead. By using the -T parameter, we can specify what we want tshark to show us: the fields, specified with the -e parameter used in conjunction with -T, pdml output (Packet Details Markup Language), ps for Postscript, psml for Packet Summary Markup Language or text, which is the default if nothing is specified. In the next command we're going to tell tshark we'd like to see ONLY the following fields:

The source IP
The destination IP
The ICMP type
The ICMP code
and only for ICMP packets of type 3, destination unreachable.

tshark -r packets1.pcap -T fields -e ip.src -e ip.dst -e icmp.type -e icmp.code  -Y "icmp.type == 3"

And our output looks like this:,  ,           3       4,  ,           3       4,,         3       3,  ,           3       3,,     3       3

Now we could create a dataset with all the destination unreachables along with the code, telling us what type of unreachable messages they are from large pcaps of data. A 'for' loop would allow us to iterate through as many pcaps as needed.

Next post, we'll use more of the display filters available, add some labeling and get our data ready for importing into a spreadsheet or doing some graphing.

No comments:

Blog Archive