Analyze TCP Conversations in Tshark

Introduction

In this lab, you will learn to analyze TCP conversations using Wireshark's command-line tool tshark. You'll practice capturing TCP traffic with filters, listing conversations, and examining specific ports like HTTP (port 80) while interpreting detailed packet information.

Through hands-on exercises including traffic generation with curl and capture file analysis, you'll master isolating TCP streams and identifying key conversation metrics. These skills will enhance your network troubleshooting and traffic analysis capabilities using Wireshark.

Capture TCP Traffic with -f "tcp"

In this step, you will learn how to capture TCP network traffic using Wireshark's command-line tool tshark. TCP (Transmission Control Protocol) is one of the core protocols of the Internet, responsible for reliable data transmission between applications. By using the -f "tcp" filter, we can focus specifically on TCP packets, which helps when analyzing web browsing, file transfers, or email communications.

First, open a terminal in your LabEx VM by clicking on the terminal icon in the Xfce desktop or using the shortcut Ctrl+Alt+T. The terminal is where we'll execute all our commands for this network analysis.
Navigate to the default working directory where we'll store our capture files:
```
cd ~/project
```
This ensures all our captured data will be saved in a consistent location that's easy to find later.
Start capturing TCP traffic with the following command:
```
sudo tshark -f "tcp" -w tcp_capture.pcap
```
Let's break down what each part of this command does:
- sudo gives us administrator privileges needed for packet capture
- tshark is the command-line version of Wireshark
- -f "tcp" acts as a capture filter, telling tshark to only record TCP packets
- -w tcp_capture.pcap saves the captured packets to a file named "tcp_capture.pcap"
While tshark is running, we need to generate some sample TCP traffic. Open another terminal window and run:
```
curl https://www.example.com
```
This command makes a simple web request to example.com, which uses TCP for its communication. The curl command will show you the HTML content returned from the website.
After waiting a few seconds to capture enough data, stop the capture by pressing Ctrl+C in the first terminal where tshark is running. This safely terminates the packet capture process.
Now let's verify what we captured by examining the first few lines of our capture file:
```
tshark -r tcp_capture.pcap | head -n 5
```
This command reads (-r) our capture file and displays the first 5 packets. You should see output showing the TCP handshake process, which includes:
- SYN (synchronize) packets that initiate the connection
- SYN-ACK (synchronize-acknowledge) responses
- Source and destination IP addresses
- Port numbers being used for the communication

List Conversations with -z conv,tcp

In this step, you will learn how to analyze TCP conversations from your captured traffic using Wireshark's -z conv,tcp option. A TCP conversation represents a complete communication session between two endpoints, identified by their IP addresses and port numbers. This feature provides a summary of all TCP conversations in your capture, showing source/destination IPs, ports, and packet statistics which is essential for understanding network communication patterns.

First, ensure you're in the correct directory where your capture file is stored. This is important because Tshark needs to know where to find the packet capture file:
```
cd ~/project
```
The basic command to list TCP conversations analyzes the captured packets and displays a summary table. The -r flag specifies the input file, while -z conv,tcp enables the conversation statistics feature:
```
tshark -r tcp_capture.pcap -z conv,tcp
```

The output will display a table showing all TCP conversations, similar to this example. Each row represents one conversation between two endpoints, showing the number of frames (packets) and bytes transferred in each direction:

=========================================================================
TCP Conversations
Filter:<No Filter>
                                              |       <-      | |       ->      | |     Total     |
                                              | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
192.168.1.2:49152   <-> 93.184.216.34:80     |      3    180 | |      3    216 | |      6    396 |
=========================================================================

To get a more detailed view with absolute timestamps showing when each conversation occurred, use the -t ad option. This helps in understanding the timing and sequence of network events:
```
tshark -r tcp_capture.pcap -z conv,tcp -t ad
```
You can filter conversations by specific criteria using display filters with the -Y option. This example filters for conversations involving port 80 (HTTP traffic), which is useful when you only want to analyze web traffic:
```
tshark -r tcp_capture.pcap -z conv,tcp -Y "tcp.port==80"
```
To save the conversation statistics for later analysis or reporting, redirect the output to a text file. This creates a permanent record of your analysis that you can review or share with others:
```
tshark -r tcp_capture.pcap -z conv,tcp > tcp_conversations.txt
```

Filter Specific Port with -Y "tcp.port==80"

In this step, you will learn how to filter network traffic for a specific TCP port (port 80) using Wireshark's display filter syntax with the -Y "tcp.port==80" option. Port 80 is the standard port for HTTP web traffic, so this filter helps isolate web-related communications in your network capture.

Before we begin, let's understand what this filter does: it shows all TCP packets where either the source OR destination port is 80. This is different from filtering specifically for source or destination ports, which we'll cover later.

First, ensure you're in the correct directory where your capture file is stored:
```
cd ~/project
```
To filter your previously captured traffic for port 80 (HTTP), run:
```
tshark -r tcp_capture.pcap -Y "tcp.port==80"
```
The -r flag specifies the input file, while -Y applies the display filter. This command reads packets from tcp_capture.pcap but only shows those involving port 80.

The output will show only packets involving port 80, either as source or destination:

 1 0.000000000    192.168.1.2 → 93.184.216.34 TCP 74 49152 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 2 0.028763000  93.184.216.34 → 192.168.1.2 TCP 74 80 → 49152 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0
 3 0.028852000    192.168.1.2 → 93.184.216.34 TCP 66 49152 → 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0

This output shows a complete TCP three-way handshake (SYN, SYN-ACK, ACK) between a client (192.168.1.2) and a web server (93.184.216.34).

To filter specifically for traffic going to port 80 (destination port), which shows requests to web servers:
```
tshark -r tcp_capture.pcap -Y "tcp.dstport==80"
```
To filter for traffic coming from port 80 (source port), which typically shows web server responses:
```
tshark -r tcp_capture.pcap -Y "tcp.srcport==80"
```
You can combine this with other filters for more precise analysis. For example, to see only HTTP GET requests (the most common type of web request):
```
tshark -r tcp_capture.pcap -Y "tcp.port==80 && http.request.method==GET"
```
This combines a port filter with an HTTP protocol filter to show specifically when web browsers request pages from servers.

Display Results with -V

In this step, we'll explore how to view comprehensive packet details using Wireshark's -V (verbose) option. When troubleshooting network issues, seeing the complete protocol breakdown is crucial. The -V flag reveals each layer of the network stack, from Ethernet frames up to application layer protocols, helping you understand exactly what's happening in your network traffic.

First, ensure you're in the correct directory where your capture file is stored. This is important because Tshark needs to access the file you want to analyze:
```
cd ~/project
```
The basic command to display all packet details shows you everything Tshark can decode. This is useful when you need to examine the complete structure of network communications:
```
tshark -r tcp_capture.pcap -V
```

The verbose output displays technical details in a structured format. Here's what each part means:

Frame: Physical layer information about packet size
Ethernet II: Data link layer MAC addresses
IP: Network layer addressing
TCP: Transport layer ports and sequence numbers

Frame 1: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: 00:11:22:33:44:55, Dst: 66:77:88:99:aa:bb
Internet Protocol Version 4, Src: 192.168.1.2, Dst: 93.184.216.34
Transmission Control Protocol, Src Port: 49152, Dst Port: 80, Seq: 0, Ack: 0, Len: 0

When working with large captures, combining filters with verbose output helps focus on relevant traffic. This example shows only HTTP traffic (port 80) and limits output to the first 20 lines:
```
tshark -r tcp_capture.pcap -Y "tcp.port==80" -V | head -n 20
```
For documentation or later analysis, you can save the detailed output to a text file. This creates a permanent record of your packet inspection:
```
tshark -r tcp_capture.pcap -V > verbose_output.txt
```
To examine specific protocol elements like HTTP headers, combine protocol filters with verbose mode. This helps when debugging web applications or analyzing HTTP transactions:
```
tshark -r tcp_capture.pcap -Y "http" -V
```

Summary

In this lab, you have learned to analyze TCP conversations using Wireshark's tshark command-line tool. You captured TCP traffic with specific filters, examined TCP handshake details, and generated sample traffic for analysis.

Additionally, you explored techniques to list TCP conversations between endpoints and filter specific port traffic. The lab provided hands-on experience with packet inspection using verbose output and conversation statistics for effective network analysis.