To install and use TShark, which is a terminal packet sniffer, and explore packets being processed by a machine as it's running.
Wireshark is a popular packet sniffer/analyzer. We will be using the terminal version of this program which is called TShark. First you need to install the tshark package, which can be done as follows:
ifinlay@vm:~$ sudo apt install tshark
Then enter 'y' when it asks if you want to continue. It will then ask if non-superusers should be able to capture packets. You should answer yes to this question as well.
You must then add your current user to the wireshark group so that you have access to the network. That can be done with this command:
ifinlay@vm:~$ sudo usermod -a -G wireshark $USER
You must then logout of your virtual machine, and log back in again.
If you get the following error message:
ifinlay@tester:~$ tshark Capturing on 'Cisco remote capture' tshark: Couldn't run /usr/bin/dumpcap in child process: Permission denied tshark: Error by extcap pipe: ** (process:3997): WARNING **: 02:15:33.585: Missing parameter: --remote-host 0 packets captured
Then you did not setup the group properly.
When you run the command
tshark command, it will print all of the
packets being processed by the machine. Below is an example:
ifinlay@vm:~$ tshark Capturing on 'ens4' 1 0.000000000 10.142.0.3 → 18.104.22.168 SSH 102 Server: Encrypted packet (len=36) 2 0.013974434 22.214.171.124 → 10.142.0.3 TCP 66 44260 → 22 [ACK] Seq=1 Ack=1 Win=323 Len=0 TSval=913110574 TSecr=3780862521 3 0.014002333 126.96.36.199 → 10.142.0.3 TCP 66 44260 → 22 [ACK] Seq=1 Ack=37 Win=323 Len=0 TSval=913110575 TSecr=3780862523 4 0.023856025 188.8.131.52 → 10.142.0.3 TCP 78 [TCP Dup ACK 3#1] 44260 → 22 [ACK] Seq=1 Ack=37 Win=323 Len=0 TSval=913110581 TSecr=3780862608 SLE=1 SRE=37 5 0.431006150 10.142.0.3 → 184.108.40.206 SSH 198 Server: Encrypted packet (len=132) 6 0.431048991 10.142.0.3 → 220.127.116.11 SSH 102 Server: Encrypted packet (len=36) 7 0.431140897 10.142.0.3 → 18.104.22.168 SSH 238 Server: Encrypted packet (len=172)
You will need to type Ctrl-C to stop tshark when you are done. The columns displayed by default are:
Instead of tshark running indefinitely, we can tell it to read some number of packets and stop with the -c flag (which stands for count):
ifinlay@vm:~$ tshark -c 10
We can also have tshark dump the data into a file rather than directly to the screen with the -w flag (which stands for write):
ifinlay@vm:~$ tshark -c 10 -w traffic.pcap
This way the data can be stored for later analysis or backup. The .pcap extension stands for "packet capture" and is a standard format for information on network packets. It is not a human-readable format, but stores all the information tshark can get from the packets including the actual contents.
To have tshark print its information on a .pcap file, we can give it the -r flag, which stands for read:
ifinlay@vm:~$ tshark -r traffic.pcap
For this lab, we will analyze packets sent as part of the HTTP web protocol. To start off, install the Apache web server on your VM with the following command:
ifinlay@vm:~$ sudo apt install apache2
Hit 'y' when it asks you to confirm. To test that the web server is working, navigate to your VM's IP address from a web browser. You should see the default web page, the top of which looks like this:
If we want to show packets from one particular application, without all the noise from our SSH connection, we can do it with the -f, "filter" argument to tshark.
These can be used to only view traffic that we are interested in, such as only from a specific host, or on a specific port. HTTP uses port 80, so if we want to see only HTTP traffic, we can do it like so:
ifinlay@vm:~$ tshark -f "port 80"
Now only packets for the HTTP server will be displayed instead of all network traffic. You will use tshark to view HTTP packets for the rest of this lab.
For this lab, use tshark to answer the following questions about HTTP. You can do this in the body of an email, or as a separate document.
When you're finished, email your answers to email@example.com.
Copyright © 2018 Ian Finlayson | Licensed under a Creative Commons Attribution 4.0 International License.