tshark Lab

[toggle_content title="Transcript"] In this lab I want to talk to you about T shark. T shark is pretty awesome terminal sniffing tool, really, really easy to use. So first let us check out the manual page for it. So let us do a man t shark and you basically can see t shark - network traffic. You can - I will kind of highlight some of the options that you can do in here - you can specify a file in the format of the file if you want to - you can specify the interface that you want to listen to it on or you can have it all dumped to a terminal if you want - you can specify what protocols that you want. You can read an input file if you already have a file captured and that is basically it. So it is basically t shark and it feels the protocols the values and the other options that you want. So just in the quick description of this t shark is the network protocol analyzer allows you to capture data from a live network and read this to a pack of file or print decoded information to the terminal. So we will go ahead and may sit out on the manual file and I am going to just do it. I am going to do a t shark and I will just do this regularly at first and then I will basically just run a scan on the network. So I will do an nmap scan - just to generate some traffic. We also could simultaneously open up etherate here. Just to give an idea of what the scan is doing on the network. So you can kind of watch this scan and fall in real time and you can see that all the traffic is coming form 92.130 which is me and I am basically just going after the network trying to enumerate the different style of traffic. Now since i did this to a whole basically class b subnet. I am generating significant amounts of traffic here purposely for the illustrations. I can go ahead and stop the scanning tool at this point. So I will just stop the endmap scan because I don't necessarily want to see the whole traffic. I just want to scroll up and give you the idea of the format of this. So in this case you can see the time stamp rating in the beginning. The source IP address - the destination IP address, the protocol that it is using. The DNS in this case it is using a standard query a little bit of hexadecimal information ptr record and then the actual ptr record that actually came back from the source and then you can see for example if we go grab a different type of traffic. Here is an ICMP echo request or ping request which is a type A and then zero for the echo reply and the sequence number and the time to live. Now also I could set this up to grip this for something like ICMP if I want as well and then if I just run my scan my again. It will only give me the results for just the ICMP as you can see here or if I wanted to set it up for just DNS or just UDP or just TCP or just http or just whatever you want. You certainly can do that - that is syntax was t shark bar or pipe and in the next command you want to use grep for ICMP and that will just give you those specific filter results or if I just wanted to get a particular source address. I certainly could that as well - so that is the basics of using terminal wire shark. I like this because of the way that it dumps things to the terminal very, very cleanly. But I wanted to get a little bit more crazy with it. I could set it to verbose mode - it is a capital V or let’s just double check this. There is it - so let just stop right away - so that is going to be way, way too ribose and in this case let us see if we can get to the beginning of the packet. You can see the protocol it gives you a complete terminal break down of exactly what is in the complete packet. So all of the flags - anything in ICMP IP TCP UDP or the upper layer applications. The actual protocol field would be dumped. Now I have to warn you - doing it with this much detail can certainly, certainly bog down your terminal. I captured 104 packets but ten of them was actually dropped so just keep that mind when you are analyzing t shark in a verbose mode because I guess you can get a lot of results. So you are going to want a high speed fibre interface. If you are actually going to do this on a production network. Otherwise that is it - that is the basics of t shark it paves the way of terminal sniffer real easy to use. Go ahead and practice it on your Kali or any linux build operating system easy to use. Basically to learn sniffing in the actual way that the protocols are laid out because you actually get to see the older translation of what happens on a network. Thanks for watching my name is Leo Dregier and I will see you in the next video. [/toggle_content] The next lab in the Sniffing Traffic series introduces you to tshark, a terminal sniffing tool. In this lab, you’ll learn how to decipher specific network traffic data that is displayed from the dump file using the tshark.  You’ll also learn how you can specify the type of and location of your dump file output, and how to add additional datasets to the output, a traffic sniffing essential.
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge



Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?