tshark

Table of Contents

• Setup
• Read
• Export objects
• Display filters
  • Address Resolution Protocol (ARP)
  • Internet Protocol version 6 (IPv6)
  • User Datagram Protocol (UDP)
  • Remote Procedure Call (RPC)
  • Domain Name System (DNS)

Setup

which tshark
sudo apt install tshark
wget https://www.malware-traffic-analysis.net/2018/10/31/2018-10-31-traffic-analysis-exercise.pcap.zip
unzip 2018-10-31-traffic-analysis-exercise.pcap.zip
mv 2018-10-31-traffic-analysis-exercise.pcap malware.pcap

Read

sudo tshark -T fields -e ip.addr | sort | uniq

Export objects

sudo tshark -r malware.pcap --export-objects http,evidence
sha256sum evidence/startr.ack
md5sum evidence/startr.ack
whois -h hash.cymru.com 2e335d2d0916114dc56407dbc427ebf5

Display filters

sudo tshark -r malware.pcap -t ud -Y 'ip.src==10.100.9.107 and udp.port==53'

ARP

Detect ARP spoofing (duplicate ARP replies from different IP addresses)

# the 'newest' IP address is probably evil, overwriting the previous reply
tshark -nr traffic.pcap -Y 'arp.opcode == 2'

Gratuitous ARP frames

tshark -nr traffic.pcap -Y 'arp.isgratuitous == 1'
tshark -nr traffic.pcap -Y 'arp.src.proto_ipv4 == arp.dst.proto_ipv4'

IPv6

Find fragmented IPv6 packets

tshark -nr traffic.pcap -Y 'ipv6.nxt == 44'

UDP

Follow UDP Stream using Tshark from the Command Line

tshark -nr traffic.pcap -z follow,udp,hex,0     # 0 = first stream

RPC

Find high-number ports of MS/RPC (DCE/RPC) Endpoint Mapping Response

tshark -nr traffic.pcap -Y 'dcerpc and epm' -w epm_traffic.pcap
tshark -nr traffic.pcap -Y 'dcerpc and epm' -T fields -e frame.number -e ip.src -e ip.dst -e epm.proto.tcp_port

# example output (columns: frame number, src ip, dst, ip, dst RPC port) 
4429	192.168.61.20	192.168.50.25	135 4430	192.168.50.25	192.168.61.20	49155 <--- dst RPC port 

DNS

DNS responses with multiple answers

tshark -nr traffic.pcap -Y 'dns.count.answers > 1'