TryHackMe: TShark: The Basics Walkthrough (SOC Level 1) 

Welcome to this walkthrough of the TShark: The Basics Room on TryHackMe. It is time to learn another traffic analysis tool made by the creators of Wireshark, TShark. Learn the basics of TShark and take your protocol and PCAP analysis skills a step further.

https://tryhackme.com/room/tsharkthebasics

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Now, let’s move on! This is going to be a long one!

Task 1: Introduction

TShark is an open-source command-line network traffic analyser. It is created by the Wireshark developers and has most of the features of Wireshark. It is commonly used as a command-line version of Wireshark. However, it can also be used like tcpdump. Therefore it is preferred for comprehensive packet assessments.

Learning Objectives

• Filtering the traffic with TShark
• Implementing Wireshark filters in TShark
• Expanding and automating packet filtering with TShark

We suggest completing the Network Fundamentals and Wireshark modules before starting this room. 

Questions

Read the task above and start the attached VM.

Answer: No answer needed

Task 2: Command-Line Packet Analysis Hints | TShark and Supplemental CLI Tools

TShark is a command-line packet analysis tool that enables automation, data carving, and in-depth packet inspection. It works well with other CLI tools by allowing data to be pipelined efficiently.

Commonly used tools for packet analysis include:

• capinfos – Summarizes capture file details.
• grep – Searches for specific text patterns.
• cut – Extracts specific parts of lines.
• uniq – Removes duplicate lines.
• nl – Numbers lines in output.
• sed – Edits streams of text.
• awk – Processes and searches patterns in structured data.

For hands-on practice, navigate to the provided directory:

cd Desktop/exercise-files/

Questions

Find the task files on the Desktop in the “exercise-files” folder.

Answer: No answer needed.

View the details of the demo.pcapng file with “capinfos”. What is the “RIPEMD160” value?

Simply run the following command to get som summarized capture file details:

capinfos demo.pcapng

Answer: 6ef5f0c165a1db4a3cad3116b0c5bcc0cf6b9ab7

Task 3: TShark Fundamentals I | Main Parameters I

TShark is a command-line network protocol analyzer tool, which is the terminal version of Wireshark. It is used for sniffing and analyzing network traffic. The key commands and parameters are as follows:

• -h: Displays the help page with common features.
• -v: Displays version information about TShark.
• -D: Lists available interfaces for sniffing.
• -i: Specifies the interface to capture traffic on.
• No Parameter: Starts sniffing traffic on the default interface (usually the first available one).

Example usage:

1. Viewing version: tshark -v
2. Listing interfaces: sudo tshark -D
3. Sniffing traffic: tshark (default interface) or tshark -i 2 (specific interface, e.g., ‘lo’ for loopback).

TShark requires superuser privileges for live traffic sniffing and listing interfaces. It captures traffic and displays detailed packet information like source, destination, protocol, and flags.

Questions

What is the installed TShark version in the given VM?

To list the version run:

tshark -v

Answer: 3.2.3

List the available interfaces with TShark. What is the number of available interfaces in the given VM?

To list the available interfaces run:

tshark -D

As you can see, the number of interfaces is 12.

Answer: 12

Task 4: TShark Fundamentals I | Main Parameters II

Let’s cover more main parameters!

• -r: Reads a capture file (e.g., tshark -r demo.pcapng).
• -c: Limits packet count (e.g., tshark -c 10).
• -w: Writes captured packets to a file (e.g., tshark -w sample.pcap).
• -V: Provides detailed (verbose) packet information.
• -q: Suppresses output (silent mode).
• -x: Displays packet details in hex and ASCII.

Key Features:

• Read PCAP files: Analyze packets using -r, filter with -c to limit output.
• Write PCAP files: Use -w to save specific packets for further analysis.
• Show Packet Bytes: -x displays raw packet data for deeper insights.
• Verbosity (-V): Offers detailed breakdowns similar to Wireshark, useful after filtering packets.

Questions

Read the “demo.pcapng” file with TShark. What are the assigned TCP flags in the 29th packet?

Simply run the following TShark read command:

tshark -r demo.pcapng

Here we see the PSH, ACK flags set on the 29th packet.

Answer: PSH, ACK

What is the “Ack” value of the 25th packet?

The “Ack” value of the 25th packet, is also on the above screenshot. You can find it here:

Answer: 12421

What is the “Window size value” of the 9th packet?

Once more seen on the earlier screenshot:

Answer: 9660

Task 5: TShark Fundamentals II | Capture Conditions

Shark, a network sniffer and packet analyzer, allows setting conditions to stop capturing packets automatically. There are two main parameter types:

1. Autostop (-a) – Stops capturing after a specific condition is met:
   • Duration: Stops after X seconds (-a duration:1).
   • Filesize: Stops after reaching X KB (-a filesize:10).
   • Files: Stops after X files (-a filesize:10 -a files:3).
2. Ring Buffer Control (-b) – Runs in an infinite loop, writing to new files while overwriting old ones:
   • Duration: Creates a new file every X seconds (-b duration:1).
   • Filesize: Creates a new file after reaching X KB (-b filesize:10).
   • Files: Limits to X files, overwriting the oldest (-b filesize:10 -b files:3).

Capture condition parameters apply only in live capturing mode, not when reading .pcap files. TShark allows combining -a and -b parameters, but infinite loops must include at least one -a parameter to ensure they stop.

Questions

Which parameter can help analysts to create a continuous capture dump?

Using the -b flag causes TShark to run in Ring Buffer Control, in other words: an infinite loop.

Answer: -b

Can we combine autostop and ring buffer parameters with TShark? y/n

Yes! TShark can combine autostop and ring buffer parameters, and infinite loops must actually include at least one autostop parameter to ensure they stop.

Answer: y

Task 6: TShark Fundamentals III | Packet Filtering Options: Capture vs. Display Filters

TShark provides two types of packet filtering: capture filters and display filters.

• Capture Filters: Applied before capturing traffic, they determine which packets are saved. These filters cannot be changed during live capture and use limited filtering options based on range, protocol, and direction.
• Display Filters: Applied after capturing traffic, they help analyze packets by reducing the number of visible ones without modifying the data. These can be changed dynamically during analysis.

TShark supports both Wireshark filters and Berkeley Packet Filters (BPF).

Key parameters:

• -f → Capture filters (same as BPF and Wireshark capture filters).
• -Y → Display filters (same as Wireshark display filters).

For more details, refer to Wireshark’s Packet Operations room (Task 4 & 5).

Questions

Which parameter is used to set “Capture Filters”?

This is a very easy question, and we just learned that the answer is -f.

Answer: -f

Which parameter is used to set “Display Filters”?

The answer is -Y.

Answer: -Y

Task 7: TShark Fundamentals IV | Packet Filtering Options: Capture Filters

Let’s learn how to use capture filters.

Wireshark uses Capture/BPF filters to filter network traffic based on specific criteria. Filters can be applied using tshark Summary of Capture Filters

Wireshark’s capture filter syntax (BPF) allows filtering network traffic based on specific criteria. Filters can be applied using different qualifiers:

1. Type Filters (match target types like hosts, networks, and ports):
   • host 10.10.10.10 → Filter specific host
   • net 10.10.10.0/24 → Filter subnet
   • port 80 → Filter specific port
   • portrange 80-100 → Filter range of ports
2. Direction Filters (define traffic direction):
   • src host 10.10.10.10 → Source address
   • dst host 10.10.10.10 → Destination address
3. Protocol Filters (filter based on protocols like TCP, UDP, ICMP):
   • tcp → Filter TCP traffic
   • ether host F8:DB:C5:A2:5D:81 → Filter specific MAC address
   • ip proto 1 → Filter ICMP (IP Protocol 1)

Simulating and Practicing Capture Filters

To test filters, network noise can be generated using:

• cURL (for HTTP traffic) → curl -v 10.10.10.10
• Netcat (nc) (for port-specific traffic) → nc 10.10.10.10 4444 -vw 5

Using Terminator (a terminal emulator), one can split the screen for easier traffic monitoring:

• Terminal-1 (Sniffing Traffic):
  • tshark -f "host 10.10.10.10"
• Terminal-2 (Generating Traffic):
  • curl 10.10.10.10

Common Capture Filters

• Host Filtering: tshark -f "host tryhackme.com"
• IP Filtering: tshark -f "host 10.10.10.10"
• Port Filtering: tshark -f "port 4444"
• Protocol Filtering: tshark -f "udp"

Questions

Run the commands from the above Terminator terminals on the target machine and answer the questions. What is the number of packets with SYN bytes?

Alright. Start up two terminals. On the first one, start sniffing traffic:

tshark -f "host 10.10.10.10"

On the second, send a cURL request:

curl -v 10.10.10.10

Return to the first terminal (where you are sniffing traffic) and you will see traffic coming in.

If you count the SYN flags, you can see two of them (packet 1 & 2).

Answer: 2

What is the number of packets sent to the IP address “10.10.10.10”?

This time we can also refer to the previous screenshot. We have to count the packets that are sent towards the IP address 10.10.10.10. For this we look at the second IP address on either packet line. For example, if you look at the first packet you can find the target IP here:

1 0.000000000 10.10.111.200 ? 10.10.10.10 TCP 74 36620 ? 80 [SYN] Seq=0 Win=62727 Len=0 MSS=8961 SACK_PERM=1 TSval=1998879927 TSecr=0 WS=128

If you count all packets with this destination you will find 7.

Answer: 7

What is the number of packets with ACK bytes?

Another simple count task. Count all packets in the above screenshot and hopefully you will count 8 🙂

Answer: 8

Task 8: TShark Fundamentals V | Packet Filtering Options: Display Filters

Wireshark’s display filters allow users to refine captured network traffic using specific criteria. The display filter syntax follows Wireshark’s rules, and users can reference the Display Filter Expression menu or official documentation for filter breakdowns. Boolean operators can also be used.

Common Display Filters:

• IP Filtering:
  • tshark -Y 'ip.addr == 10.10.10.10' (Filter packets involving a specific IP)
  • tshark -Y 'ip.src == 10.10.10.10' (Filter packets from a source IP)
  • tshark -Y 'ip.dst == 10.10.10.10' (Filter packets to a destination IP)
  • tshark -Y 'ip.addr == 10.10.10.0/24' (Filter a network range)
• TCP Filtering:
  • tshark -Y 'tcp.port == 80' (Filter packets on TCP port 80)
  • tshark -Y 'tcp.srcport == 80' (Filter packets from source port 80)
• HTTP Filtering:
  • tshark -Y 'http' (Filter all HTTP packets)
  • tshark -Y 'http.response.code == 200' (Filter HTTP packets with response code 200)
• DNS Filtering:
  • tshark -Y 'dns' (Filter all DNS packets)
  • tshark -Y 'dns.qry.type == 1' (Filter DNS “A” queries)

Sample Usage:

Using the demo.pcapng file:

shark -r demo.pcapng -Y 'ip.addr == 145.253.2.203'

This filters packets involving the specified IP. However, TShark assigns numbers based on capture time, not the number of filtered packets.

To count filtered packets, use:

shark -r demo.pcapng -Y 'http' | nl

This provides a numbered list, making it easier to determine the total count.

Questions

Use the “demo.pcapng” file to answer the questions. What is the number of packets with a “65.208.228.223” IP address?

Alright. Last 4 questions, let’s go!

The command to use is very similar as the previously discussed example:

tshark -r demo.pcapng -Y 'ip.addr == 65.208.228.223'| nl

We used nl here to add a numbered list, which make it easier to count the number of packets.

You will see list of packets being listed, 34 in total:

Answer: 34

What is the number of packets with a “TCP port 3371”?

This time filter on port 3371:

tshark -r demo.pcapng -Y 'tcp.port == 3371'| nl

This time there are 7 packets.

Answer: 7

What is the number of packets with a “145.254.160.237” IP address as a source address?

This time we should filter on ip.src instead of ip.addr to only filter on source addresses:

tshark -r demo.pcapng -Y 'ip.src== 145.254.160.237'| nl

We have 20 packets this time!

Answer: 20

Rerun the previous query and look at the output. What is the packet number of the “Duplicate” packet?

Rerun the previous query and take another look at the output.

One of the packets should mention “Dup”. Be careful that THM does not expect the packet count index, but the packet number, in this case 37.

Answer: 37

Task 9: Conclusion

Congratulations! You just finished the TShark: The Basics room. In this room, we covered TShark, what it is, how it operates, and how to use it to investigate traffic captures.

Now, we invite you to complete the TShark: CLI Wireshark Features room to boost your CLI packet hunting skills by implementing Wireshark features with TShark.

Questions

Proceed to the next room and keep learning!

Answer: No answer needed

Congratulations on completing TShark: The Basics!!!

Congratulations on completing TShark: The Basics. It was great using some of the previously learned Wireshark methodology in the command prompt. We clearly can see that TShark is as powerful as Wireshark, with added scripting potential. Of course it hurts losing the UI though!

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Like my articles?

You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg