Scribd
Upload
65 views19 pages

TShark Basics and Output Formats

The document discusses network traffic analysis using TShark. It provides an introduction to TShark, describing it as a command line version of Wireshark used to analyze real-time network traffic. It then covers how to use TShark to capture traffic, read and write packet captures to files, and filter and format the output. The document demonstrates how TShark can be used to monitor network traffic and identify potential attacks.

Uploaded by

esmail ahmed
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
65 views19 pages

TShark Basics and Output Formats

The document discusses network traffic analysis using TShark. It provides an introduction to TShark, describing it as a command line version of Wireshark used to analyze real-time network traffic. It then covers how to use TShark to capture traffic, read and write packet captures to files, and filter and format the output. The document demonstrates how TShark can be used to monitor network traffic and identify potential attacks.

Uploaded by

esmail ahmed
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

N ETWORK

PENETRATION
TESTING

Ignite Technologies
Ignite Technologies
Where we are today

What is Network Traffic?

Introduction to TShark

TShark
.

Capture Traffic

Read & Write in a File

Output Format & Display Filters

Endpoints Analysis
Ignite Technologies

“Network traffic or the Data traffic is the amount of data


transferred across the network at some given point of time.”

Network Data Network Data Packets

Therefore, analyzing such network packets thus provides up


network security as it helps us to monitor traffic i.e. What is
Network Traffic?
.

Unusual Amount
of Data Traffic

Possibility of
an attack !!

“Network traffic volume is the measure of the total work done i.e.
the average data traffic intensity and time period of its network
data packet study.”

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 3
Endpoints Analysis
Ignite Technologies

“TShark a console version of WireShark, which is used as a


network analyzer which thus analyze real-time network traffic”

TShark Features
Has the most powerful command-line, which can Introduction to
do anything that WireShark does
TShark
.

It has powerful decoders and filters.


It is capable of capturing data packets
information of different network layers and thus
display them in different formats.
It can read .pcap files to analyze the information
and thus dig into the details of those connections.

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 4
Endpoints Analysis
“TShark comes pre-installed in Kali Linux”. So, Let’s Start !! Ignite Technologies

Help Command List Interface

tshark -h Prints a list of all the interfaces whose


traffic it can capture.

tshark -D

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters Endpoints Analysis
Basic Capture Ignite Technologies

ping [Link]

Capture Traffic .

tshark -i eth0

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 6
Endpoints Analysis
Ignite Technologies
Promiscuous mode
Promiscuous mode is used as an interface controller that causes tshark to pass all the traffic it
receives to the CPU, rather than passing the frames.
This mode is normally used for packet sniffing, that can take place on a router or on a computer
connected to a wired network or a part of LAN.
1

ping [Link]

ifconfig eth0 promisc

tshark -i eth0

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters Endpoints Analysis
Ignite Technologies

The ‘-c’ parameter will only capture the exact amount of


data that we require and will display them..

tshark -i eth0 -c 10

Packet Count .

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 8
Endpoints Analysis
Ignite Technologies

The [-w] or the write option, writes raw packet data output to a
standard .pcap file.

tshark -i eth0 -c 10 -w [Link]

The [-r] or the read option, help us to read the raw output data
packets in our desired manner.

tshark -r [Link]
Read & Write .

in a file

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 9
Endpoints Analysis
Ignite Technologies

Tshark provides us an option to save decoded packets in various


output formats i.e. It sets the format of the output so that it
becomes easy to understand.

tshark -T x

Output Formats .

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 10
Endpoints Analysis
Ignite Technologies
PDML

PDML stands for Packet Details Mark-Up Language which is an XML


based output format.

tshark -r [Link] -T pdml

Output Formats .

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 11
Endpoints Analysis
Ignite Technologies
PS
PS stands for PostScript, here output is in the form of one-liner
summary of each data packets.

tshark -r [Link] -T ps

Output Formats .

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 12
Endpoints Analysis
Ignite Technologies
JSON
JSON stands for Java-Script Object Notation, which is an open
standard file format that displays text in a readable form.

tshark -r [Link] -T json

Output Formats .

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 13
Endpoints Analysis
Ignite Technologies
Text
Text is a human-readable one lines summary of each of the packets.

tshark -r [Link] -T text

Output Formats .

To Read more surf @Hacking Articles

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 14
Endpoints Analysis
Ignite Technologies

But why we need to do the decoding?


When we write the live data packets in a .pcap format file; we
compress all that data packets in smaller segments.
To better understand these data packets, we decode them which
leads to a difference in the size of the file. Output
. Formats .

ls -lh packets.p*

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 15
Endpoints Analysis
Ignite Technologies
Converting PDML to an HTML Page
Save the data packets in PDML format and then convert it into an XML file

tshark -r [Link] -T pdml > [Link]

Use xsltproc tool to execute this file it which will help us to create our HTML page.

xsltproc /usr/share/wireshark/[Link] [Link] > [Link]

Open the HTML page in the browser

firefox [Link] &

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters Endpoints Analysis
Ignite Technologies
TShark collects different types of Statistics and displays their result
after finishing the reading of the captured file.

Endpoints Analysis
TShark creates a table that will list of all the endpoints that could be
seen in the captured file.
The list of Endpoints that are supported by TShark is: Endpoints
. Analysis .

Refer the complete list from here.

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters Endpoints Analysis
PAGE 17
Ignite Technologies

Endpoints Analysis

tshark -r [Link] -z endpoints,wlan -q | head

Endpoints
. Analysis .

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters Endpoints Analysis
PAGE 18
Ignite Technologies

Ignite Technologies

[Link]
.

info@[Link]
+91 959 938 7841
THANK YOU

Ignite Technologies

You might also like