tshark – Dump and analyze network traffic

ABOUT tshark

TShark is a command-line network traffic analyzer that enables you to capture packet data from a live network or read packets from a previously saved capture file by either printing a decoded form of those packets to the standard output or by writing the packets to a file. Without any options, TShark works similarly to the tcpdump command and also uses the same live capture file format, libpcap. In addition, TShark is capable of detecting, reading, and writing the same capture files as those that are supported by Wireshark.

RELATED SHELL EXPOSURE
small part of content formatted
[bash light=”true”]
$sudo tshark -c 2 -O tcp
sudo: /var/lib/sudo writable by non-owner (040777), should be mode 0700

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for jeffrin:
tshark: Lua: Error during loading:
[string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as
superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as
an unprivileged user.
Running as user "root" and group "root". This could be dangerous.
Capturing on ‘eth0’
Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: AsustekC_59:c2:7d (60:a4:4c:59:c2:7d), Dst: D-Link_5c:01:1a (5c:d9:98:5c:01:1a)
Internet Protocol Version 4, Src: 192.168.0.102 (192.168.0.102), Dst: 74.125.236.160 (74.125.236.160)
Transmission Control Protocol, Src Port: 46926 (46926), Dst Port: https (443), Seq: 1, Ack: 1, Len: 0
Source port: 46926 (46926)
Destination port: https (443)
[Stream index: 0]
Sequence number: 1 (relative sequence number)
Acknowledgment number: 1 (relative ack number)
Header length: 32 bytes
Flags: 0x010 (ACK)
000. …. …. = Reserved: Not set
…0 …. …. = Nonce: Not set
…. 0… …. = Congestion Window Reduced (CWR): Not set
…. .0.. …. = ECN-Echo: Not set
…. ..0. …. = Urgent: Not set
…. …1 …. = Acknowledgment: Set
…. …. 0… = Push: Not set
…. …. .0.. = Reset: Not set
…. …. ..0. = Syn: Not set
…. …. …0 = Fin: Not set
Window size value: 353
[Calculated window size: 353]
[Window size scaling factor: -1 (unknown)]
Checksum: 0xa100a [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
No-Operation (NOP)
Type: 1
0… …. = Copy on fragmentation: No
.00. …. = Class: Control (0)
…0 0001 = Number: No-Operation (NOP) (1)
No-Operation (NOP)
Type: 1
0… …. = Copy on fragmentation: No
.00. …. = Class: Control (0)
…0 0001 = Number: No-Operation (NOP) (1)
Timestamps: TSval 300928, TSecr 2174612263
Kind: Timestamp (8)
Length: 10
Timestamp value: 300928
Timestamp echo reply: 2174612263

Frame 2: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: D-Link_5c:01:1a (5c:d9:98:5c:01:1a), Dst: AsustekC_59:c2:7d (60:a4:4c:59:c2:7d)
Internet Protocol Version 4, Src: 74.125.236.160 (74.125.236.160), Dst: 192.168.0.102 (192.168.0.102)
Transmission Control Protocol, Src Port: https (443), Dst Port: 46926 (46926), Seq: 1, Ack: 2, Len: 0
Source port: https (443)
Destination port: 46926 (46926)
[Stream index: 0]
Sequence number: 1 (relative sequence number)
Acknowledgment number: 2 (relative ack number)
Header length: 32 bytes
Flags: 0x010 (ACK)
000. …. …. = Reserved: Not set
…0 …. …. = Nonce: Not set
…. 0… …. = Congestion Window Reduced (CWR): Not set
…. .0.. …. = ECN-Echo: Not set
…. ..0. …. = Urgent: Not set
…. …1 …. = Acknowledgment: Set
…. …. 0… = Push: Not set
…. …. .0.. = Reset: Not set
…. …. ..0. = Syn: Not set
…. …. …0 = Fin: Not set
Window size value: 661
[Calculated window size: 661]
[Window size scaling factor: -1 (unknown)]
Checksum: 0xa521 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
No-Operation (NOP)
Type: 1
0… …. = Copy on fragmentation: No
.00. …. = Class: Control (0)
…0 0001 = Number: No-Operation (NOP) (1)
No-Operation (NOP)
Type: 1
0… …. = Copy on fragmentation: No
.00. …. = Class: Control (0)
…0 0001 = Number: No-Operation (NOP) (1)
Timestamps: TSval 21741007319, TSecr 255876
Kind: Timestamp (8)
Length: 10
Timestamp value: 21741007319
Timestamp echo reply: 255876
[SEQ/ACK analysis]
[TCP Analysis Flags]
[This frame ACKs a segment we have not seen]
[Expert Info (Warn/Sequence): ACKed segment that wasn’t captured (common at capture start)]
[Message: ACKed segment that wasn’t captured (common at capture start)]
[Severity level: Warn]
[Group: Sequence]

2
$

[/bash]

RELATED SOURCE CODE EXPOSURE
[c light=”true”]
/*
* Default one-shot callback; overridden for capture types where the
* packet data cannot be guaranteed to be available after the callback
* returns, so that a copy must be made.
*/
void
pcap_oneshot(u_char *user, const struct pcap_pkthdr *h, const u_char *pkt)
{
struct oneshot_userdata *sp = (struct oneshot_userdata *)user;

*sp->hdr = *h;
*sp->pkt = pkt;
}

const u_char *
pcap_next(pcap_t *p, struct pcap_pkthdr *h)
{
struct oneshot_userdata s;
const u_char *pkt;

s.hdr = h;
s.pkt = &pkt;
s.pd = p;
if (pcap_dispatch(p, 1, p->oneshot_callback, (u_char *)&s) <= 0)
return (0);
return (pkt);
}

int
pcap_next_ex(pcap_t *p, struct pcap_pkthdr **pkt_header,
const u_char **pkt_data)
{
struct oneshot_userdata s;

s.hdr = &p->pcap_header;
s.pkt = pkt_data;
s.pd = p;

/* Saves a pointer to the packet headers */
*pkt_header= &p->pcap_header;

if (p->rfile != NULL) {
int status;

/* We are on an offline capture */
status = pcap_offline_read(p, 1, p->oneshot_callback,
(u_char *)&s);

/*
* Return codes for pcap_offline_read() are:
* – 0: EOF
* – -1: error
* – >1: OK
* The first one (‘0’) conflicts with the return code of
* 0 from pcap_read() meaning "no packets arrived before
* the timeout expired", so we map it to -2 so you can
* distinguish between an EOF from a savefile and a
* "no packets arrived before the timeout expired, try
* again" from a live capture.
*/
if (status == 0)
return (-2);
else
return (status);
}

/*
* Return codes for pcap_read() are:
* – 0: timeout
* – -1: error
* – -2: loop was broken out of with pcap_breakloop()
* – >1: OK
* The first one (‘0’) conflicts with the return code of 0 from
* pcap_offline_read() meaning "end of file".
*/
return (p->read_op(p, 1, p->oneshot_callback, (u_char *)&s));
}
[/c]
SOURCE CODE TAKEN FROM DEBIAN SOURCE PACKAGE libpcap

SOURCE AND OTHER LINK(S)
https://docs.oracle.com/cd/E53394_01/html/E54741/gncns.html
https://hackertarget.com/tshark-tutorial-and-filter-examples/
https://www.linuxjournal.com/content/using-tshark-watch-and-inspect-network-traffic

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s