Transcript Packets and Protocols

Packets and Protocols
Chapter Nine
Other Programs
Packaged with
Wireshark
Packets and Protocols
Chapter 9
TShark
editcap
mergecap
text2pcap
capinfos
Dumpcap

All are useful “niche” utilities packaged
with Wireshark
Packets and Protocols
Chapter 9
 TShark
– TShark is the command-line version of
Wireshark
– Virtually all the functionality of GUI
version
Packets and Protocols
Chapter 9
Capture Start Options

–i interface Specifies the interface you want to use to capture data. The –D option
can be used to find out the names of your network interfaces. You can use the
number or the name as a parameter to the –I option. If you run TShark without the
–i option, it will search the list of interfaces and choose the first non-loopback
interface it finds. If it doesn’t find any non-loopback interfaces, it will use the first
loopback interface. If this doesn’t exist, TShark will exit with an error.

–f capture filter expression Allows you to set the filter expression to use when
capturing data. For example, tshark -f tcp port 80 will only capture incoming and
outgoing HTTP packets.

–s snaplen Allows you to set the default snapshot length to use when capturing
data.The parameter snaplen specifies the length, in bytes, of each network packet
that will be read or saved to disk.The default snaplen is 65535 bytes, which should
be large enough to capture the entire frame contents for all data link types.

–p Tells TShark to not put the interface in promiscuous mode. This will cause TShark
to only read traffic sent to and from the system on which TShark is running,
broadcast traffic, and multicast traffic.

–y type Allows you to set the data link type to use while capturing packets. You can
use the –L option to lists the data link types that are supported by an interface.

–D Instructs TShark to print a list of available interfaces on the system. It will print
the interface number, name, and description and then return to the command
prompt. You can then supply the number or the name to the –i flag to specify an
interface on which to capture data. Specifying this option causes TShark to open and
attempt to capture on each interface it finds. It will only display theinterfaces on
which this was successful. Also, if you need to be logged in as root to run TShark but
are not, this option will not display any available interfaces.

–L Lists the data link types that are supported by an interface and then exits.You can
specify an interface to use, or TShark will choose the first one it finds as stated in the
–i option information.
Packets and Protocols
Chapter 9
Capture Stop Options


–c count Sets the default number of packets to read when capturing data. For
example, if you only want to capture 100 packets you would specify –c 100.
–a test:value Used when capturing to a file. It specifies to TShark when to stop
writing to the file. The criterion is in the form test: value, where test is either
duration or file size. Duration will stop writing to a file when the specified number of
seconds have elapsed, and file size will stop writing to a file after a size of value
kilobytes has been reached.
Capture Output Option


–b number of ring buffer files [:duration] Used with the –a option, and causes
TShark to continue capturing data to successive files. This is known as ring buffer
mode and will keep saving files up to the number specified within the option. When
the first file reaches the maximum size, as specified with the –a option, Shark will
begin writing to the next file. When all files are full, it will continue to write new files
as it removes the older ones. However, if the number of files is specified as 0, the
number of files TShark writes to will be unlimited, and will only be restricted to the
size of the hard disk. An optional duration parameter can also be specified so TShark
will switch to the next file when the instructed number of seconds has elapsed. This
will happen even if the current file is not yet full. The filenames created are based on
the number of the file and the creation date and time. You can only save files in the
libpcap format when this option is used. ■ Capture Input Option
–r file Reads and processes a saved capture file.
Packets and Protocols
Chapter 9

TShark output
C:\Program Files\Wireshark>tshark -V -x
Capturing on \Device\NPF_{A302C81E-256D-4C92-8A72-866F2E1ED55F}
Frame 1 (114 bytes on wire, 114 bytes captured)
Arrival Time: Nov 28, 2003 22:14:16.221349000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 114 bytes
Capture Length: 114 bytes
IEEE 802.3 Ethernet
Destination: ff:ff:ff:ff:ff:ff (Broadcast)
Source: 00:05:5d:ee:7e:53 (D-Link_ee:7e:53)
Length: 100
Logical-Link Control
DSAP: NetWare (0xe0)
IG Bit: Individual
SSAP: NetWare (0xe0)
CR Bit: Command
Control field: U, func = UI (0x03)
000. 00.. = Unnumbered Information
.... ..11 = Unnumbered frame
…cont
Socket: Unknown (0x4000)
Intermediate Networks: 1
0000 ff ff ff ff ff ff 00 05 5d ee 7e 53 00 64 e0 e0 ........].~S.d..
0010 03 ff ff 00 60 00 04 00 00 00 00 ff ff ff ff ff ....`...........
0020 ff 04 52 00 00 00 00 00 05 5d ee 7e 53 40 08 00 ..R......].~S@..
0030 02 06 4e 54 41 52 47 45 54 31 21 21 21 21 21 21 ..NTARGET1!!!!!!
0040 21 21 41 35 35 36 39 42 32 30 41 42 45 35 31 31 !!A5569B20ABE511
0050 43 45 39 43 41 34 30 30 30 30 34 43 37 36 32 38 CE9CA400004C7628
0060 33 32 00 00 00 00 00 00 05 5d ee 7e 53 40 00 00 32.......].~S@..
0070 01 01
Packets and Protocols
Chapter 9

TShark will also summarize statistics
– Protocol Hierarchy Statistics
-z major name, minor name, option(s), filter
C:\Program Files\Wireshark>tshark –nqz io,phs
<cntrl-c>
===================================================================
Protocol Hierarchy Statistics
Filter: frame
frame frames:560 bytes:115233
eth frames:560 bytes:115233
ip frames:558 bytes:115005
udp frames:53 bytes:10383
dns frames:21 bytes:3215
data frames:8 bytes:496
isakmp frames:24 bytes:6672
tcp frames:505 bytes:104622
http frames:107 bytes:81798
llc frames:2 bytes:228
ipx frames:2 bytes:228
ipxsap frames:2 bytes:228
===================================================================
Packets and Protocols
Chapter 9
Packets and Protocols
Chapter 9

Protocol Statistics by Interval
-z io,stat,interval[,filter][,filter][,filter]
==========================================
IO Statistics
Interval: 300.000 secs
Column #0: frame
Column #1: ip.addr eq 10.18.129.130
| Column #0 | Column #1
Time
|frames
| bytes
|frames
| bytes
000.000-300.000
82
5874
0
0
300.000-600.000
248
18104
8
928
600.000-900.000
1171
86793
9
1044
900.000-1200.000
1247
93774
10
1160
1200.000-1500.000
1377
102314
6
696
1500.000-1800.000
2128
819636
4
464
1800.000-2100.000
1357
102840
8
928
2100.000-2400.000
1587
116295
10
1160
2400.000-2700.000
1565
179061
2
232
2700.000-3000.000
1450
98959
7
812
3000.000-3300.000
1436
101291
4
464
3300.000-3600.000
1826
218948
7
812
3600.000-3900.000
517
48140
0
0
==========================================
Packets and Protocols
Chapter 9

Conversation Statistics
$ tshark -r defcon.dump -nqz conv,ip,"ip.addr eq 216.250.64.68"
============================================================================
IPv4 Conversations
Filter:ip.addr eq 216.250.64.68
| <- | | -> |
216.250.64.68 <-> 192.168.2.215
216.250.64.68 <-> 192.168.2.237
216.250.64.68 <-> 192.168.2.23 60
216.250.64.68 <-> 192.168.2.212
216.250.64.68 <-> 192.168.0.173
216.250.64.68 <-> 192.168.2.149
216.250.64.68 <-> 192.168.2.102
216.250.64.68 <-> 192.168.1.120
216.250.64.68 <-> 192.168.2.72 9
216.250.64.68 <-> 192.168.0.153
216.250.64.68 <-> 192.168.41.150
216.250.64.68 <-> 192.168.2.248
216.250.64.68 <-> 192.168.2.192
216.250.64.68 <-> 192.168.2.185
216.250.64.68 <-> 192.168.2.103
216.250.64.68 <-> 192.168.3.2 19
216.250.64.68 <-> 192.168.2.7 13
216.250.64.68 <-> 192.168.0.127
216.250.64.68 <-> 192.168.2.121
| Total |
85
69
6064
51
35
19
18
29
864
20
25
12
14
10
16
1735
1208
11
18
|Frames Bytes|
8887
98
7076
42
4
795
4687
2
3859
16
1791
26
2933
20
2657
9
22
5472
1871
9
2348
3
2370
15
1454
13
1087
17
1690
10
6
1973
11
4155
1123
12
1752
5
|Frames Bytes|
19007
27894
8555
15631
64
6859
453
5140
3099
6958
4493
6284
3852
6785
1257
3914
31
6336
3658
5529
348
2696
3459
5829
2460
3914
5907
6994
1759
3449
25
3708
24
5363
2094
3217
1150
2902
Packets and Protocols
Chapter 9

Packet Length Distribution
C:\>tshark -r dc11.dump -nqz plen,tree
====================================================
Packet Length
value
rate
percent
------------------------------------------------------------------Packet Length
664070 0.001293
0-19
0
0.000000
0.00%
20-39
0
0.000000
0.00%
40-79
494456 0.000962
74.46%
80-159
114463 0.000223
17.24%
160-319
16117
0.000031
2.43%
320-639
13583
0.000026
2.05%
640-1279
3597
0.000007
0.54%
1280-2559
21854
0.000043
3.29%
2560-5119
0
0.000000
0.00%
51200
0.000000
0.00%
====================================================
Packets and Protocols
Chapter 9

Destinations Tree
C:\>tshark -r http.cap -nqz dests,tree
===========================================================
Destinations
value
rate
percent
------------------------------------------------------------------Destinations
43
0.001415
145.254.160.237
20
0.000658 46.51%
TCP
19
0.000625 95.00%
80
19
0.000625 100.00%
UDP
1
0.000033 5.00%
53
1
0.000033 100.00%
65.208.228.223
18
0.000592 41.86%
TCP
18
0.000592 100.00%
3372
18
0.000592 100.00%
145.253.2.203
1
0.000033 2.33%
UDP
1
0.000033 100.00%
3009
1
0.000033 100.00%
216.239.59.99
4
0.000132 9.30%
TCP
4
0.000132 100.00%
3371
4
0.000132 100.00%
===========================================================
Packets and Protocols
Chapter 9


Packet Summary Columns
Example: The following example reads from the
http.cap capture file and reports the standard
summary output.
C:\>tshark -r http.cap -n
1 0.000000 145.254.160.237 -> 65.208.228.223
3372 > 80 [SYN] Seq=0 Len=0 MSS=1460
2 0.911310 65.208.228.223 -> 145.254.160.237
80 > 3372 [SYN, ACK] Seq=0 Ack=1 Win=5840
Len=0 MSS=1380
3 0.911310 145.254.160.237 -> 65.208.228.223
3372 > 80 [ACK] Seq=1 Ack=1 Win=9660 Len=0
Packets and Protocols
Chapter 9

SIP Statistics
C:\>tshark -r sip1.dump -nqz sip,stat
================================================
SIP Statistics
Number of SIP messages: 37
Number of resent SIP messages: 0
* SIP Status Codes in reply packets
SIP 407 Proxy Authentication Required : 1 Packets
SIP 200 OK : 10 Packets
SIP 100 Trying : 4 Packets
SIP 180 Ringing : 2 Packets
* List of SIP Request methods
INVITE : 9 Packets
BYE : 2 Packets
ACK : 9 Packets
Packets and Protocols
Chapter 9

H.225 Counters
C:\>tshark -r rtp_example.raw.gz -nqz h225,counter
==================
H225 Message and Reason Counter
==================
RAS-Messages:
Call Signalling:
setup :
1
callProceeding :
1
connect :
1
alerting :
1
======================================
Packets and Protocols
Chapter 9

H.225 Service Response Time
Syntax: -z h225,srt[,filter]

Another H.225 statistics reporting mechanism, the H.225
Service Response Time (SRT) statistics option reports the
RAS message type; minimum, maximum, and average SRT
metrics; the number of open requests (that have not yet
received a response); discarded requests; and duplicate
messages. Each of these statistics can be useful for
analyzing activity on VoIP networks to identify traffic
patterns and metrics that could negatively influence VoIP
service.
Packets and Protocols
Chapter 9
Media Gateway Control Protocol Round Trip Delay
Syntax: -z mgcp,rtd[,filter]


The Media Gateway Control Protocol (MGCP) is
used in VoIP networks as an intermediary
between traditional telephone circuits and data
packets. Using this statistics reporting option,
you can identify the response time delay (RTD)
between stations and the MGCP server, and
duplicate requests and responses, requests to
unresponsive servers, and responses that do not
match any requests.
Packets and Protocols
Chapter 9

SMB Round Trip Data
$ tshark -r rtl-fileshare.dump -nqz smb,rtt
===========================================================
SMB RTT Statistics:
Filter:
Commands
Calls
Min RTT
Max RTT
Avg RTT
Open
1
0.00186
0.00186
0.00186
Close
4
0.00023
0.00176
0.00066
Trans
5
0.00190
13.69178 2.76430
Open AndX
1
0.00450
0.00450
0.00450
Read AndX
309
0.00025
0.01865
0.00412
Tree Disconnect
7
0.00117
0.14601
0.02324
Negotiate Protocol
8
0.00026
0.07451
0.02226
Session Setup AndX
16
0.00028
0.01928
0.00578
Logoff AndX
12
0.00074
0.00872
0.00258
Tree Connect AndX
7
0.00081
0.00399
0.00190
NT Create AndX
4
0.00029
0.00270
0.00132
Transaction2 Commands
Calls
Min RTT
Max RTT
Avg RTT
FIND_FIRST2
1
0.19993
0.19993
0.19993
QUERY_FS_INFO
2
0.00023
0.00248
0.00135
QUERY_FILE_INFO
2
0.00040
0.00551
0.00296
NT Transaction Commands
Calls
Min RTT
Max RTT
Avg RTT
===========================================================
Packets and Protocols
Chapter 9

SMB Security Identifier Name Snooping

Syntax: -z smb,sids

Another SMB analysis feature is the capability to
use security identifier (SID) snooping techniques
to identify potentially sensitive SIDs and their
associated account names. This feature can be
useful when performing a security audit of traffic
captured from a Windows network, representing
information that is valuable to an attacker for
impersonating a legitimate user.
Packets and Protocols
Chapter 9


BOOTP Statistics
Syntax: -z bootp,stat,[filter]
$ tshark -nqr rtl-fileshare.dump -z bootp,stat,
==============================================
BOOTP Statistics with filter
BOOTP Option 53: DHCP Messages Types:
DHCP Message Type
Packets nb
Inform
74
ACK
275
Release
10
NAK
82
Decline
25
Request
1255
Discover
1811
Offer
279
==============================================
Packets and Protocols
Chapter 9

HTTP Statistics

Syntax: -z http,stat,[filter]
====================================================
HTTP Statistics
* HTTP Status Codes in reply packets
HTTP 408 Request Time-out
HTTP 301 Moved Permanently
HTTP 302 Moved Temporarily
HTTP 304 Not Modified
HTTP 200 OK
HTTP 206 Partial Content
HTTP 100 Continue
HTTP 403 Forbidden
HTTP 404 Not Found
* List of HTTP Request methods
SEARCH 336
GET 1447
POST 8
HEAD 2
====================================================
Packets and Protocols
Chapter 9

HTTP Tree Statistics
C:\>tshark -r Kismet-Aug-01-2002-2.dump -nqz http,tree
======================================================
HTTP/Packet Counter
value
rate
percent
------------------------------------------------------------------Total HTTP Packets
8067
0.001504
HTTP Request Packets
1793
0.000334
22.23%
SEARCH
336
0.000063
18.74%
GET
1447
0.000270
80.70%
POST
8
0.000001
0.45%
HEAD
2
0.000000
0.11%
HTTP Response Packets
1296
0.000242
16.07%
???: broken
0
0.000000
0.00%
1xx: Informational
121
0.000023
9.34%
100 Continue
121
0.000023
100.00%
2xx: Success
689
0.000128
53.16%
200 OK
685
0.000128
99.42%
206 Partial Content 4
0.000001
0.58%
3xx: Redirection
479
0.000089
36.96%
304 Not Modified
452
0.000084
94.36%
302 Found
24
0.000004
5.01%
301 Moved Perm
3
0.000001
0.63%
4xx: Client Error
7
0.000001
0.54%
408 Request Time
4
0.000001
57.14%
404 Not Found
1
0.000000
14.29%
403 Forbidden
2
0.000000
28.57%
5xx: Server Error
0
0.000000
0.00%
Other HTTP Packets
4978
0.000928
61.71%
======================================================
Packets and Protocols
Chapter 9

HTTP Request Statistics
C:\>tshark -r Kismet-Aug-01-2002-2.dump –nqz http_req,tree,"ip.addr eq
66.207.60.150“
================================================
HTTP/Requests
value
rate
percent
----------------------------------------------------------HTTP Requests by HTTP Host
35
0.000757
www.megatokyo.com
35
0.000757
100.00%
/parts/mt2-head-top.gif
3
0.000065
8.57%
/parts/mt2-merchandise.gif
2
0.000043
5.71%
/parts/mt-shadow-right.gif
8
0.000173
22.86%
/parts/mt-glow-top.gif
4
0.000087
11.43%
/parts/mt-blk_bar-credits.gif
14
0.000303
40.00%
/parts/pix-dark.gif
1
0.000022
2.86%
/parts/mt-bottom-prev.gif
2
0.000043
5.71%
/parts/mt-glow-bottom.gif
1
0.000022
2.86%
===============================================
Packets and Protocols
Chapter 9
 Editcap
 “editcap
is a program used to
remove or select packets from a file
and to translate the format of
captured files. It doesn’t capture live
traffic; it only reads data from a
saved capture file and then saves
some or all of the packets to a new
capture file.”
 Review Pages 502-507 for options
Packets and Protocols
Chapter 9

Mergecap
– Used to combine multiple captures into one file
– Mergecap can also write the output capture file
to standard and modified versions of libpcap,
Sun snoop, Novel LANalyzer, NAI Sniffer,
Microsoft Network Monitor, Visual Network
traffic capture, Accellent 5Views capture, and
Network Instruments Observer version 9
captures.
Packets and Protocols
Chapter 9







–a Ignores the timestamps in the input capture files and merges
the capture files one after the other. When this option is omitted,
the packets in the input files are merged in chronological order
based on the packet timestamps.
–F type Used to set the format of the output capture file. For
example, if you want to merge capture files and save them in the
Sun snoop format so snoop can read the output file, you would use
the –F snoop option.
–h Prints the help options of mergecap, and then exits.
–s snaplen Sets the snapshot length to use when writing the data
to the output capture file. Packets larger than the snaplen will be
truncated.
–T type Sets the packet encapsulation type of the output capture
file. The default type is the same encapsulation type as the input
files, if they are all the same.
–v Verbose - causes mergecap to print various messages to the
screen while it is processing files.
–w file Writes the packets to the filename specified following the
option. This option is required for mergecap to merge files.
Packets and Protocols
Chapter 9
 Text2pcap
– Generates capture files by reading
ASCII hexadecimal dump captures and
writing the data to a libpcap output file.
It is capable of reading a hexdump of
single or multiple packets, and building
capture files from it.
– See options on page 513-515
Packets and Protocols
Chapter 9
 Capinfos
– examines a stored capture file and
reports statistics related to the number
of packets, packet sizes, and timing
information. Unlike other statistics
reporting mechanisms in other
Wireshark tools, capinfos does not
report on the contents of traffic, instead
giving a quick summary of the capture
file contents.
Packets and Protocols
Chapter 9










–h Prints the help options of capinfos, and then exits.
–t Displays the capture file type as one of the supported
Wireshark capture file formats, regardless of the filename
extension.
–c Displays the number of packets in the capture file.
–d Displays the total length of all the packets in the file as
a number of bytes.
–u Displays the capture file duration in seconds.
–a Displays the capture start time.
–e Displays the capture end time.
–y Displays the average data rate in bytes per second.
–i Displays the average data rate in bits per second.
–h Displays the average packet size in bytes.
Packets and Protocols
Chapter 9
 Dumpcap
– used to capture traffic from a live
interface and save to a libpcap file. This
utility includes a subset of the functions
available in TShark, but does not include
the vast library of protocol decoders.
This gives dumpcap a significantly
smaller footprint, which can be
beneficial on low-memory systems
capturing traffic with multiple processes.
Packets and Protocols
Chapter 9














–a test:value Instructs dumpcap to stop writing to a file when it meets the specified test condition
and value.This option mirrors the functionality of –a in TShark.
–b number of ring buffer files [:duration] Used with the –a option, causes dumpcap to continue
capturing data to successive files.This option mirrors the functionality of –b in TShark.
–B buffer size Available only on Windows systems, causes dumpcap to allocate a buffer for storing
packet data during a capture before writing to the disk.This option mirrors the functionality of –B in
TShark.
–c count Sets the default number of packets to read when capturing data. This option mirrors the
functionality of –c in TShark.
–D Instructs dumpcap to print a list of available interfaces on the system, mirroring the functionality
of –D in TShark.
–f capture filter expression Allows you to set the filter expression to use when capturing data,
mirroring the functionality of –f in TShark.
–h Prints the version of dumpcap and the help options, and then exits.
–i interface Specifies the interface you want to use to capture data, mirroring the functionality of –i
in TShark.
–L Lists the data link types that are supported by an interface and then exits, mirroring the
functionality of –L in TShark.
–p Tells dumpcap to not put the interface in promiscuous mode, mirroring the functionality of –p in
TShark.
–s snaplen Allows you to set the default snapshot length to use when capturing data, mirroring the
functionality of –s in TShark.
–v Prints the dumpcap version information and exits.
–w file Writes the packets to the filename specified following the option, mirroring the functionality of
–w in TShark.
–y type Allows you to set the data link type to use while capturing packets, mirroring the functionality
of –y in TShark.
Packets and Protocols
Chapter 9
 Summary
– Wireshark is more than the GUI; it is a
suite of programs that provide
command-line capturing, formatting,
and manipulating capabilities.