Book Image

Instant Traffic Analysis with Tshark How-to

By : Borja Merino
Book Image

Instant Traffic Analysis with Tshark How-to

By: Borja Merino

Overview of this book

Malware, DoS attacks, SQLi, and data exfiltration are some of the problems that many security officers have to face every day. Having advanced knowledge in communications and protocol analysis is therefore essential to investigate and detect any of these attacks. Tshark is the ideal tool for professionals who wish to meet these needs, or students who want to delve into the world of networking.Instant Traffic Analysis with Tshark How-to is a practical, hands-on guide for network administrators and security officers who want to take advantage of the filtering features provided by Tshark, the command-line version of Wireshark. With this guide you will learn how to get the most out of Tshark from environments lacking GUI, ideal for example in Unix/Linux servers, offering you much flexibility to identify and display network traffic.The book begins by explaining the basic theoretical concepts of Tshark and the process of data collection. Subsequently, you will see several alternatives to capture traffic based on network infrastructure and the goals of the network administrator. The rest of the book will focus on explaining the most interesting parameters of the tool from a totally practical standpoint.You will also learn how to decode protocols and how to get evidence of suspicious network traffic. You will become familiar with the many practical filters of Tshark that identify malware-infected computers and lots of network attacks such as DoS attacks, DHCP/ARP spoof, and DNS flooding. Finally, you will see some tricks to automate certain tasks with Tshark and python scripts.You will learn everything you need to get the most out of Tshark and overcome a wide range of network problems. In addition you will learn a variety of concepts related to networking and network attacks currently exploited.
Table of Contents (7 chapters)

Delimiting network problems (Should know)


This recipe will explain some useful commands that will help us find the root of many problems related to the performance of our network. A fairly typical case is one in which we experience some problems with the bandwidth of our network. If we lack advanced network devices that allow us to configure QoS or Deep Packet Inspection, we can use Tshark to try to find out which hosts are generating more traffic and what type of data they are sending.

How to do it...

  1. The first approach to determine which IPs in our VLAN (192.168.15.0/24) could be misusing the network would be to get the list of IP conversations. This list is sorted according to the total number of frames, so it could give us an idea of the heavy talkers (some of the columns have been omitted):

    bmerino@Mordor:/$ tshark -r traffic.pcap -q -z "conv,ip,ip.addr==192.168.15.0/24" 
    

    This command would generate the following output:

    ======================================================
    IPv4 Conversations
    Filter:ip.addr==192.168.15.0/24
                             |     <-       ||      ->       ||     Total    |   
                             |Frames Bytes  || Frames  Bytes || Frames  Bytes|     
    192.168.15.4<->192.168.30.5 35341  53204825 23968  1647450  59309 54852275 
    192.168.15.4<->192.168.30.6 5492   8014603  2973    197034   8465  8211637 
    192.168.15.8<->192.168.17.3 1041   219223   1234    158748   2277   352634 
    
  2. With this information, we know that the IP 192.168.15.4 represents one of the hosts that is generating more traffic to communicate with other machines on the network 192.168.30.0/24. To work faster with Tshark we will create a second pcap file with just the traffic generated by that machine (192.168.15.4):

    bmerino@Mordor:/$ tshark -R "ip.addr == 192.168.15.4" -r traffic.pcap -w ip.pcap
    bmerino@Mordor:/$ capinfos ip.pcap | grep "Number\|time:"
    

    This command would generate the following output:

    Number of packets:   97218
    Start time:          Mon Jan  7 14:26:57 2013
    End time:            Mon Jan  7 14:38:57 2013
    
  3. First, we will check that the host is not breaking the use policies of our network, which establish that only HTTP and HTTPS traffic is allowed as output in that VLAN. The following command will tell us the outbound connections to ports other than those allowed (HTTP and HTTPS).

    bmerino@Mordor:/$ tshark -o column.format:'" Source ","%s","Destination","%d", "dstport", "%uD","Protocol", "%p"' -r ip.pcap -R "ip.src == 192.168.15.4 && ! dns && tcp.dstport != 80 && tcp.dstport != 443"  | sort -u
    

    This command would generate the following output:

    192.168.15.4 -> 192.168.30.5  8000 TCP
    192.168.15.4 -> 192.168.17.10 3283 TCP
    192.168.15.4 -> 192.168.30.5  21 FTP
    
  4. According to the previous output, we can confirm that the IP 192.168.15.4 is violating the usage policy by connecting to different services, among which is FTP. To be sure that that traffic is not another service using the FTP port, we launch a follow tcp stream of that session:

    bmerino@Mordor:/$ tshark -o column.format:'"Source","%s","srcport", "%uS","Destination","%d", "dstport", "%uD","Protocol", "%p"' -r ip.pcap -R "tcp.dstport == 21" | head -1
    192.168.15.4 58905 192.168.30.5 21 FTP
    bmerino@Mordor:/$ tshark -z "follow,tcp,ascii,192.168.15.4:58905,192.168.30.5:21,1" -q -r ip.pcap   
    

    This command would generate the following output:

    ===================================================================
    Follow: tcp,hex
    Filter: ((ip.src eq 192.168.15.4 and tcp.srcport eq 58905) and (ip.dst eq 192.168.30.5 and tcp.dstport eq 21)) or ((ip.src eq 192.168.30.5 and tcp.srcport eq 21) and (ip.dst eq 192.168.15.4 and tcp.dstport eq 58905))
    Node 0: 192.168.30.5:21
    Node 1: 192.168.15.4:58905
    00000000 32 32 30 2d 46 69 6c 65 5a 69 6c 6c 61 20 53 65 220-File Zilla Se
    00000010 72 76 65 72 20 76 65 72 73 69 6f 6e 20 30 2e 39 rver ver sion 0.9
    00000020 2e 34 31 20 62 65 74 61 0d 0a                         .41 beta ..
    ===================================================================
    
  5. The FileZilla server banner and the commands used to request files confirm that the user is using FTP. After observing the FTP transfers, we could verify that that service was the direct cause of the slowdown in the network. We can even filter the files downloaded by the client:

    bmerino@Mordor:/$ tshark -z "follow,tcp,ascii,192.168.15.4:58905,192.168.30.5:21" -r ip.pcap   | grep RETR
     28  50.409666  192.168.15.4 -> 192.168.30.5 FTP 85 Request: RETR Dati2.avi
     33 162.018952  192.168.15.4 -> 192.168.30.5 FTP 83 Request: RETR windbg.exe
    
  6. Tshark also allows us to break down each of the protocols captured. Thus we can see hierarchically the number of frames and bytes associated with each protocol. Using another capture file, let's see for example the distribution of HTTP and HTTPS traffic used by the IP 192.168.15.7:

    bmerino@Mordor:/$ tshark -r traffic2.pcap -q -z io,phs,"ip.addr== 192.168.15.7 && ssl || http" | head -13
    

    This command would generate the following output:

    ===========================================================
    Protocol Hierarchy Statistics
    Filter: ip.addr== 192.168.15.7 && ssl || http
    eth                      frames:43129 bytes:59176403
      ip                     frames:43129 bytes:59176403
        tcp                  frames:43129 bytes:59176403
          ssl                frames:41090 bytes:57226894
            tcp.segments     frames:1212 bytes:1376146
          http               frames:2039 bytes:1949509  
    
  7. The output tells us that SSL represents practically all traffic, even over HTTP. Let's see the IP's associated with that communication:

    bmerino@Mordor:/$ tshark -o column.format:'"destination","%d"' -r  traffic.pcap -R "ip.src == 192.168.15.7 && ssl" | sort -u
    199.47.216.172
    199.47.218.159
    173.194.34.12
    bmerino@Mordor:/$ whois 199.47.216.171 | grep -i "netname\|netrange"
    NetRange:       199.47.216.0 - 199.47.219.255
    NetName:        DROPBOX
    
  8. It seems that this IP is using Dropbox to transfer files, hence the amount of SSL generated. With this information we can now create ACLs or IPtables rules to deny certain types of traffic, do a shutdown of a specific port, limit the bandwidth of some protocols, and so on.

How it works...

Tshark gives us the option to collect statistics on multiple types of network traffic with the –z parameter. In the examples seen previously we used this option to obtain the IP peer-to-peer conversations between various computers in our network. To set other kind of conversations we run –z as follows: -z conv,type[,filter] where type represents the kind of peer-to-peer conversation (TCP, UDP, IP, FDDI, and so on) we want to get the stats from. Optionally you can specify a filter so that only the packets that match the filter will be used in the calculations. For example, to display the TCP conversation of the IRC protocol we would run:

We use the -q parameter when reading captured files to display just the stats and not any per-packet information. The other stats seen in this recipe is follow, which shows the content of the TCP or UDP stream between two nodes. This option is similar to "Follow TCP/UDP Stream" in Wireshark. Its syntax is -z follow,prot,mode,filter[,range], where prot can be TCP or UDP. mode specifies the output type (ASCII/hex) and the optional range specifies which "chunks" of the stream should be displayed.

In addition to statistics seen, there is the ability to show the total number of bytes and frames in time intervals. To do this we use -z io,stat,interval[,filter] [,filter]… where interval is the interval in seconds. For example, it was observed that the IP 192.168.15.4 had established a connection to the machine 192.168.30.5 on port 8000. We can get the connection statistics in intervals of 100 seconds (some of the rows have been omitted):

bmerino@Mordor:/$ tshark -r 8000.pcap –q –z io,stat,100,tcp.port==8000

This command would generate the following output:

| Interval   | Frames | Bytes | Frames |  Bytes |
|-----------------------------------------------|  
|  0 <> 100  |     44 |  7644 |     44 |   7644 |
|100 <> 200  |     30 |  2180 |     30 |   2180 | 
|200 <> 300  |      0 |     0 |      0 |      0 |  

Finally, in this recipe we use the -o option, which allow us to change some settings of Tshark. Wireshark and Tshark rely on a configuration file to load default preferences. We can modify these values by using the -o option followed by prefname:value. To dump a list of default preferences, use -G followed by defaultprefs. For example, by default, Wireshark and Tshark convert all sequence numbers into relative numbers to facilitate comprehension and tracking of the packets involved in a TCP session. This means that the sequence number corresponding to the first packet in a TCP connection begins with 0 and not with a random value generated by the TCP/IP stack of the operating system. If we need to view the absolute value, that is, the real value of the SEQ and ACK fields, we can disable the "Relative Sequence Numbers" option with tcp.relative_sequence_numbers:FALSE:

bmerino@Mordor:/$ tshark -G defaultprefs | grep "relative_seq"
relative_seq#tcp.relative_sequence_numbers: TRUE
bmerino@Mordor:/$ tshark -r tcpsecuence.pcap -T fields -e tcp.seq -R tcp | head -3
0
16
bmerino@Mordor:/$ tshark –r tcpsecuence.pcap -T fields -e tcp.seq -R tcp -o tcp.relative_sequence_numbers:FALSE | head -3
2516813179
2516813195

Do not worry about the -T and -e options; we will seen them in detail in the next recipe. We also used –o several times with the column.format directive to specify the columns displayed in the output. The value associated with this directive consists of pairs of strings indicating the title of the column and its format. For example, with -o column.format:"Protocol","%p", we would only show the protocol of each packet. If you need to know the % variables take a look at Wireshark sources, in particular the C file wireshark/epan/column.c:

root@Mordor:~/wireshark# cat epan/column.c | grep –m 1 COL_PROTOCOL
    "%p",    /* 48) COL_PROTOCOL */

Tshark allows us to load our own "Configuration Profiles". This will be really useful when we use different configurations, depending on the type of analysis that we perform. For example, there will be times you want to disable the dissectors, or you may want to show the output in a different view or format. By using your own configuration profile you won't need to write a long list of –o parameters; just specify the file with the –C option and Tshark will load that setting:

bmerino@Mordor:~/.wireshark/profiles$ tshark -C "A1_audit" -i eth0

This command would generate the following output:

Capturing on eth0
64:68:0c:ea:41:ad -> 01:80:c2:00:00:00 60 
192.168.1.42 -> 173.194.34.54 1484