Tshark
Using TShark for PCAP Data Analysis in an Investigation
TShark, the command-line counterpart to Wireshark, is a powerful tool for analysing PCAP data when doing network forensic investigations. It provides detailed insights into network traffic, enabling analysts to uncover malicious activities and understand the scope of security incidents.
Key benefits of using TShark include:
Efficiency in Large-Scale Analysis:
TShark can process large PCAP files quickly and efficiently, making it ideal for investigating high-volume network traffic without requiring a graphical interface.
Granular Filtering and Queries:
With its robust filtering options, TShark allows analysts to isolate specific traffic types, such as HTTP, DNS, or SMB, or focus on particular indicators like IP addresses, ports, or protocol flags.
Customisable Output:
Analysts can extract specific fields (e.g., timestamps, source/destination IPs, packet lengths) and export the data in formats like JSON, CSV, or plain text for further analysis or reporting.
Protocol-Specific Insights:
TShark decodes and interprets hundreds of protocols, making it easier to analyse the contents of application-layer protocols like HTTP, FTP, DNS, and TLS.
Integration with Automation:
Its command-line nature allows TShark to be integrated into scripts for automated analysis, such as detecting IoCs, extracting credentials, or monitoring traffic patterns.
Forensic Applications:
TShark can be used to reconstruct events, such as identifying command-and-control communication, detecting large file transfers (data exfiltration), or analysing malicious payloads.
Reproducibility and Reporting:
The ability to generate logs and export specific packets makes TShark a reliable tool for creating reproducible evidence and detailed investigative reports.
By leveraging TShark, investigators gain a precise, scalable, and scriptable tool for deep-diving into network traffic, identifying threats, and gathering actionable intelligence during cybersecurity investigations
Below is a set of TShark queries designed for forensic analysis of.pcap files, each accompanied by an explanation of its purpose. TShark, the command-line version of Wireshark, allows you to efficiently analyse network traffic for investigations.
1. Read Basic Packet Information
Explanation: Displays a summary of all packets in the pcap file. Use this as a starting point to get an overview of the traffic.
2. Extract HTTP GET and POST Requests
Explanation: Extracts HTTP request methods (
GET,POST), the hostnames, and URIs. This is useful for identifying malicious web requests or data exfiltration.
3. Filter Traffic by IP Address
Explanation: Displays all packets involving a specific IP address (
192.168.1.10). This isolates traffic related to a potentially compromised host.
4. Filter DNS Queries
Explanation: Extracts DNS queries with timestamps. Helps identify unusual or suspicious domain lookups, such as those related to malware or ransomware C2 servers.
5. Filter by Protocol
HTTP:
TCP:
UDP:
Explanation: Filters traffic by protocol type to focus on specific types of communication.
6. Identify Large Packets (Possible Data Exfiltration)
Explanation: Filters packets larger than 1000 bytes, often associated with file transfers or data exfiltration attempts.
7. Detect SMB Activity
Explanation: Extracts SMB traffic to identify suspicious file operations or lateral movement attempts.
8. Extract Credentials from FTP or HTTP Traffic
FTP:
HTTP Basic Auth:
Explanation: Detects plaintext credentials in FTP or HTTP traffic.
9. Analyse Command-and-Control (C2) Activity
HTTP-Based C2:
DNS Tunneling:
Explanation: Filters packets for C2 activity over HTTP or DNS. Replace the IP or payload length as needed.
10. Detect Port Scanning Activity
Explanation: Identifies SYN packets without ACK responses, which are indicative of port scanning attempts.
11. Extract Specific Fields for Analysis
Explanation: Extracts key fields like timestamp, source/destination IPs, and ports for deeper analysis or reporting.
12. Detect ICMP Tunneling
Explanation: Analyses ICMP traffic for unusually large packet sizes or frequent activity, which may indicate data tunnelling.
13. Filter TLS Traffic
Explanation: Displays TLS/SSL traffic, including cipher suites, which may help detect anomalous encrypted communication.
14. Identify Unusual DNS Responses
Explanation: Focuses on DNS responses, highlighting resolved IP addresses that may link to malicious domains.
15. Export Traffic to a New PCAP File
Explanation: Filters traffic for a specific condition (e.g., an IP address) and writes it to a new
.pcapfile for focused analysis.
16. Reassemble HTTP Objects
Explanation: Extracts files transferred via HTTP. Useful for recovering potentially malicious payloads or identifying stolen data.
17. Detect Unencrypted Credentials in Telnet
Explanation: Captures Telnet traffic to identify unencrypted credentials or commands transmitted.
18. Monitor RDP Traffic
Explanation: Analyses Remote Desktop Protocol (RDP) traffic, often targeted by attackers for brute force attempts or lateral movement.
19. Extract Malicious Traffic Using IoCs
Explanation: Filters traffic based on known Indicators of Compromise (IoCs), such as malicious IPs or domains.
20. Identify Traffic to Tor Nodes
Explanation: Filters traffic to ports commonly associated with Tor entry or relay nodes, potentially indicating anonymised communication by ransomware.
21. Detect Suspicious Packet Rates
Explanation: Summarises packet counts per second. Spikes may indicate scanning, DDoS, or other anomalies.
Notes:
Replace placeholders (e.g.,
192.168.1.10,203.0.113.5,malicious.com) with investigation-specific details.Use threat intelligence feeds to refine filters with known IoCs.
These TShark queries provide a toolkit for performing network forensics on pcap files, helping uncover malicious activities or other suspicious behaviours.
Last updated
