One of the main advantages of Tshark against Wireshark is the flexibility to play with the inputs and outputs from the command line. Thanks to this, we can write small scripts to automate different kind of tasks.
Throughout this book, we have seen many examples using various parameters of Tshark. In practice, you may not remember many of these options due to the vast amount of existing parameters. Apart from using Help from the command line (-h
), remember that you can take advantage of the Linux shell to permanently save many Tshark instructions, saving you a lot of time.
If you periodically check the status of some network protocols you could create an alias for it and save it in
.bashrc
. Thus the alias will be stored permanently in your profile:bmerino@Mordor:~$ echo "alias tpassive='tshark -i wlan1 -R \"stp||arp||bootp||vrrp\"'" >> $HOME/.bashrc bmerino@Mordor:~$ . .bashrc bmerino@Mordor:~$ tpassive
This would generate the following output:
Capturing on wlan1 1.208225 64:68:0c:ea:41:ad -> 01:80:c2:00:00:00 STP 60 RST. Root = 36864/128/5c:33:8e:72:b1:48 Cost = 4000000 Port = 0x5005 1.822549 78:92:9c:89:b9:de -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.99? Tell 192.168.1.35
The same applies in the following example. If we tend to check incoming connections to our machine, including certain types of scans from tools such as Nmap, we can create the following alias. This way we will not have to write long chains of parameters each time.
In this recipe we have used an interesting new parameter, -s
(snaplen). With this option we will tell Tshark the amount of bytes we want to capture for each packet (instead of saving the entire content). This process, also known as PacketSlicing, will allow us to save CPU time and generate much smaller capture files. In our case, since we needed only to know the TCP flags of each packet to identify the type of scan, we specified a snaplen of 58. Remember that the Ethernet header takes 14 bytes and the IPv4 and TCP header 20 bytes each; so 58 bytes will be enough for us to reach the flags field. This is not the only way to improve the performance of Tshark. Disabling name resolution (the –n
option), not putting the interface in promiscuous mode (the –p
option), or incrementing the buffer size used by the capture driver (the –B
option), can help us enormously when we need to capture very high amounts of packets.
Let's consider now the following scenario. During the last week we found illegitimate access to the web server. After investigating the possible cause of the intrusion, we conclude that the attacker had captured the session cookie of the Admin user to get access to the server. In addition, an incorrect session management allowed him to use that cookie permanently. To locate the attacker, we used a small Python script to notify us by mail when someone tried to use that cookie. Also, to get more information about his host, we would launch NMAP against his IP. Take a look at how we played with the Tshark output to feed both functions: send_mail
and scan_Nmap
.