Packet Analysis with Wireshark and Tshark

Introduction

In this lab, you will learn the fundamentals of network packet analysis using Wireshark and its command-line counterpart, Tshark. You will start by exploring network interfaces, then move on to capturing live network traffic. You will also learn how to read, filter, and analyze pre-existing packet capture files using both the Tshark command-line tool and the Wireshark graphical user interface. This lab provides a foundational understanding of packet analysis, a critical skill for network troubleshooting and cybersecurity.

Verify Installation and List Network Interfaces

In this lab environment, Tshark and Wireshark are pre-installed for you. Your first step is to verify the installation and identify the available network interfaces for packet capture. A network interface is a hardware or virtual device that allows your computer to connect to a network.

1. First, verify that Tshark is installed correctly by checking its version. This command confirms that the tool is available in your system's path.

   tshark --version

   You should see output displaying the Tshark and Wireshark version numbers.

   TShark (Wireshark) 4.2.x (Git v4.2.x packaged as 4.2.x-1)
   ...

2. Next, you need to know which network interfaces you can use for capturing packets. Use the -D flag to list all available interfaces.

   tshark -D

   The output will list the interfaces by number and name.

   1. eth0
   2. any (Pseudo-device that captures on all interfaces)
   3. lo (Loopback)
   4. ...

   • eth0 is typically the primary Ethernet interface, common in virtual machines and servers. We will use this for live captures.
   • lo is the loopback interface, used for network communication within the same machine.
   • any is a special pseudo-device that allows you to capture traffic from all interfaces at once.

Now that you've confirmed the installation and identified the eth0 interface, you are ready to start capturing packets.

Perform a Basic Packet Capture

With the network interface identified, you can now perform a live packet capture. For this exercise, you will capture a small number of packets from the eth0 interface to see Tshark in action. This is a fundamental skill for observing real-time network activity.

1. To start a capture, you need to specify the interface with the -i flag and the number of packets to capture with the -c (count) flag. Run the following command to capture 10 packets from the eth0 interface.

   tshark -i eth0 -c 10

2. Tshark will start capturing packets and display a one-line summary for each packet in real-time. The output will look similar to the example below, showing information like the packet number, timestamp, source and destination IP addresses, protocol, and a brief summary.

    1 0.000000000 172.17.0.2 -> 172.17.0.1 DNS 79 Standard query 0x1a34 AAAA metadata.google.internal
    2 0.000293393 172.17.0.1 -> 172.17.0.2 DNS 111 Standard query response 0x1a34 No such name
    3 0.000408893 172.17.0.2 -> 172.17.0.1 DNS 79 Standard query 0x2b1f A metadata.google.internal
    4 0.000564893 172.17.0.1 -> 172.17.0.2 DNS 111 Standard query response 0x2b1f No such name
    ...

After capturing 10 packets, Tshark will automatically stop. You have now successfully captured and viewed live network traffic from the command line.

Analyze a Capture File with Tshark

Besides capturing live traffic, a common task is to analyze previously saved packet capture files. These files, typically with a .pcap extension, allow for offline analysis. A sample file named capture.pcap is provided in your project directory.

1. First, use the ls command to confirm that the capture.pcap file exists in your current directory (/home/labex/project).

   ls -l capture.pcap

2. To read packets from this file, use the -r (read) flag. Let's view the first 10 packets from the file.

   tshark -r capture.pcap -c 10

3. Manually inspecting all packets is inefficient. Tshark allows you to use display filters to show only the packets that match specific criteria. Use the -Y flag to apply a display filter. Let's filter for TCP traffic only.

   tshark -r capture.pcap -Y "tcp" -c 5

   This command reads from capture.pcap, applies the display filter tcp, and shows only the first 5 matching packets.

4. Now, try filtering for a different protocol, such as UDP.

   tshark -r capture.pcap -Y "udp" -c 5

   You will now see only UDP packets from the capture file. Display filters are a powerful feature for focusing your analysis on specific protocols, addresses, or ports.

Filter and Save a Live Capture

In this step, you will combine capturing, filtering, and saving. Instead of saving all traffic, you can apply a capture filter to save only the packets that interest you. This is efficient for creating targeted datasets. We will capture only DNS traffic and save it to a new file.

1. To save a capture, use the -w (write) flag. To apply a capture filter, use the -f flag. DNS typically uses UDP port 53, so we will use "port 53" as our capture filter.

   Run the following command to capture 10 DNS packets and save them to a file named dns_traffic.pcap.

   tshark -i eth0 -c 10 -f "port 53" -w dns_traffic.pcap

   Unlike a normal capture, this command will not print packets to the screen. Instead, it will show a running count of captured packets until it reaches 10.

2. Once the capture is complete, verify that the new file was created.

   ls -l dns_traffic.pcap

3. Now, you can inspect your new, filtered capture file to confirm it only contains the traffic you wanted.

   tshark -r dns_traffic.pcap

   The output should show only DNS packets (or other traffic on port 53), confirming that your capture filter worked correctly.

Analyze Packets with the Wireshark GUI

While Tshark is excellent for command-line work, the Wireshark graphical user interface (GUI) provides a powerful visual environment for deep packet analysis. In this step, you will use the Wireshark GUI to inspect the capture.pcap file.

1. Launch Wireshark and open the capture.pcap file with the following command. The & at the end runs the application in the background, freeing up your terminal.

   wireshark capture.pcap &

2. The Wireshark window will open. Take a moment to familiarize yourself with the main layout:

   • Packet List Pane (Top): A list of all packets in the capture.
   • Packet Details Pane (Middle): A detailed, expandable view of the protocol layers for the selected packet.
   • Packet Bytes Pane (Bottom): The raw data of the selected packet, shown in hexadecimal and ASCII.

3. The GUI makes filtering easy. Locate the display filter bar at the top of the window (it may have "Apply a display filter..." as placeholder text). Type http into this bar and press Enter.

   http

4. The Packet List pane will now update to show only HTTP packets from the capture file. You can click on any packet to explore its details in the middle pane.

5. Close the Wireshark window when you are finished exploring.

Summary

In this lab, you gained hands-on experience with the Wireshark suite. You learned how to verify a Tshark installation and identify available network interfaces. You practiced capturing live network traffic using tshark, reading from existing .pcap files, and applying both capture and display filters to isolate specific protocols. You also learned how to save a filtered capture to a new file. Finally, you were introduced to the Wireshark graphical user interface for a more visual approach to packet analysis. These skills are essential for anyone involved in network administration, troubleshooting, or security.