Dump Hex Data in Tshark

Introduction

In this lab, you will learn to analyze network packets using Wireshark's tshark command-line tool with hexadecimal output. You'll practice reading packet capture files (capture.pcap) using the -r flag and displaying raw packet data in hex format with -x.

The exercises will guide you through executing tshark commands, interpreting packet summaries, and examining hexadecimal dumps. You'll analyze a TCP handshake example to understand how this technique aids in network troubleshooting and security investigations.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/protocol_dissection("Protocol Dissection") wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") wireshark/WiresharkGroup -.-> wireshark/commandline_usage("Command Line Usage") subgraph Lab Skills wireshark/protocol_dissection -.-> lab-548923{{"Dump Hex Data in Tshark"}} wireshark/packet_analysis -.-> lab-548923{{"Dump Hex Data in Tshark"}} wireshark/commandline_usage -.-> lab-548923{{"Dump Hex Data in Tshark"}} end

Read File with -r capture.pcap

In this step, you will learn how to read a packet capture file using Wireshark's command-line tool tshark with the -r option. This is the fundamental way to analyze pre-captured network traffic data.

Before we begin, it's important to understand that PCAP files contain raw network traffic data captured from a network interface. The -r flag allows you to specify a packet capture file to read, which is much like opening a document with a text editor. We'll use a sample file named capture.pcap located in your ~/project directory.

First, ensure you're in the correct directory. This is crucial because tshark needs to know where to find the capture file:

cd ~/project

Now, use tshark to read the capture file. The basic command without any filters will show you all packets in the file:

tshark -r capture.pcap

This command will display basic information about each packet in the capture file, including:

Packet number (showing the order of capture)
Timestamp (when the packet was captured)
Source and destination IP addresses (who sent and received the packet)
Protocol (what type of network communication this is)
Packet length (how big the packet is)
Basic protocol information (details specific to each protocol)

Example output (your actual output may vary):

1 0.000000 192.168.1.1 → 192.168.1.2 TCP 66 443 → 49234 [SYN] Seq=0 Win=64240 Len=0
2 0.000123 192.168.1.2 → 192.168.1.1 TCP 66 49234 → 443 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0
3 0.000234 192.168.1.1 → 192.168.1.2 TCP 54 443 → 49234 [ACK] Seq=1 Ack=1 Win=64240 Len=0

This output shows a basic TCP handshake between two hosts. The first packet with [SYN] indicates a connection request, the second with [SYN, ACK] is the response, and the third [ACK] completes the handshake. Each line represents one network packet with its essential details, giving you a chronological view of the network communication.

Enable Hex Dump with -x

In this step, we'll explore how to examine the raw binary content of network packets using Wireshark's command-line tool tshark. The -x option is particularly powerful as it reveals the actual hexadecimal data that makes up each packet, which is essential for deep packet analysis.

When working with network traffic, packets are fundamentally just sequences of bytes. The -x flag tells tshark to display:

The standard packet header information (like source/destination addresses)
The complete hexadecimal representation of the packet's raw data
An ASCII interpretation of that data (where applicable)

Before proceeding, let's make sure we're in the right working directory where our packet capture file is stored:

cd ~/project

Now we'll analyze our packet capture file (capture.pcap) with hexadecimal output enabled:

tshark -r capture.pcap -x

This command produces output divided into three main sections for each packet:

The summary line showing basic packet information
The hexadecimal dump showing the raw packet bytes
The ASCII representation of those bytes (displaying printable characters)

Here's what a typical output section looks like (shortened for demonstration):

1 0.000000 192.168.1.1 → 192.168.1.2 TCP 66 443 → 49234 [SYN] Seq=0 Win=64240 Len=0
0000  00 1a 4b 12 34 56 00 1b 11 22 33 44 08 00 45 00   ..K.4V..."3D..E.
0010  00 34 12 34 00 00 80 06 78 9a c0 a8 01 01 c0 a8   .4.4....x.......
0020  01 02 01 bb c0 52 00 00 00 00 00 00 00 00 50 02   .....R........P.
0030  fa f0 00 00 00 00 00 00 00 00                     ..........

The hexadecimal display is organized as follows:

The leftmost column (0000, 0010, etc.) shows the byte offset in hexadecimal
The middle section displays 16 bytes of packet data per line in hexadecimal format
The right section shows the ASCII character representation (with unprintable characters displayed as dots)

This view is invaluable when you need to examine protocol headers at the byte level or verify the exact content of network transmissions.

Limit to Frames with --hexdump frames

In this step, you'll learn how to precisely control which packets appear in your hexadecimal output using Wireshark's --hexdump option with frame filtering. This technique helps you focus on specific network packets while examining their raw hexadecimal data - particularly valuable when working with large capture files containing many packets.

The --hexdump option gives you more precise control than the basic -x flag. While -x shows hex dumps for all packets, --hexdump lets you specify exactly which frame numbers to display. This is like having a magnifying glass that only shows the packets you want to inspect closely.

First, let's make sure we're in the right working directory where our capture file is stored. This ensures Tshark can find the file we want to analyze:

cd ~/project

Now we'll use Tshark to display hexadecimal data for specific frames. The command structure is:
- -r capture.pcap reads our packet capture file
- --hexdump frame=1-3 tells Tshark we only want frames 1 through 3
- The equal sign (=) connects the frame filter to the hexdump option

Run this command to see frames 1-3 in hexadecimal:

tshark -r capture.pcap --hexdump frame=1-3

This command produces output showing:

Only the three frames we requested (1, 2, and 3)
The complete hexadecimal representation of each frame
The raw byte data without the usual packet summary information

Example output (shortened for demonstration):

Frame 1: 66 bytes on wire
0000  00 1a 4b 12 34 56 00 1b 11 22 33 44 08 00 45 00   ..K.4V..."3D..E.
0010  00 34 12 34 00 00 80 06 78 9a c0 a8 01 01 c0 a8   .4.4....x.......
0020  01 02 01 bb c0 52 00 00 00 00 00 00 00 00 50 02   .....R........P.
0030  fa f0 00 00 00 00 00 00 00 00                     ..........

Frame 2: 66 bytes on wire
0000  00 1b 11 22 33 44 00 1a 4b 12 34 56 08 00 45 00   ..."3D..K.4V..E.
0010  00 34 ab cd 00 00 80 06 12 34 c0 a8 01 02 c0 a8   .4.......4......
0020  01 01 c0 52 01 bb 00 00 00 00 00 00 00 01 50 12   ...R..........P.
0030  ff ff 00 00 00 00 00 00 00 00                     ..........

Notice the key differences from previous outputs:

Only the frames you specified appear (no extra packets)
Each frame shows its complete hexadecimal representation
The output skips the usual packet summary lines, giving you cleaner hex data to analyze

Review Hex Output

In this final step, you will analyze and interpret the hexadecimal output from your packet capture. Understanding hex dumps is fundamental for network analysis because it shows the raw binary data exactly as it travels across the network. This skill is essential for understanding network protocols, debugging communication issues, and performing low-level packet inspection.

First, let's generate a comprehensive hex dump of the first 3 frames. We'll use this command in the project directory:

cd ~/project
tshark -r capture.pcap --hexdump frame=1-3

This command reads the capture.pcap file and displays the hexadecimal representation of frames 1 through 3. The --hexdump option tells Tshark to show both hex and ASCII representations side by side.

Examine the output structure carefully. The hex dump is organized to help you visualize the packet structure:

Each frame starts with its size (e.g., "Frame 1: 66 bytes on wire") showing the total packet length
The left column shows the byte offset (0000, 0010, etc.) which helps locate specific bytes
The middle section displays 16 bytes of hexadecimal data per line, showing the actual packet contents
The right column shows ASCII representation of printable characters, useful for spotting text protocols

Now let's identify key protocol headers in the hex dump. Network packets follow a layered structure, and we can see this in the hex output:

## Ethernet header (first 14 bytes)
0000 00 1a 4b 12 34 56 00 1b 11 22 33 44 08 00

## IP header (next 20 bytes)
0010 45 00 00 34 12 34 00 00 80 06 78 9a c0 a8 01 01
0020 c0 a8 01 02

## TCP header (next 20 bytes)
0020 01 bb c0 52 00 00 00 00 00 00 00 00 50 02
0030 fa f0 00 00 00 00 00 00 00 00

The Ethernet header comes first, followed by the IP header, and then the TCP header. Each protocol header contains specific fields at fixed positions that we can decode.

Let's practice interpreting some common values you'll encounter in network packets:

08 00 indicates IPv4 (EtherType) - this tells the network card what protocol comes next
45 shows IPv4 with 5-word header length (the '4' is IP version, '5' is header length in 32-bit words)
c0 a8 01 01 is 192.168.1.1 in hex (each pair represents one octet of the IP address)
01 bb is port 443 in decimal (the first byte 01 is 256, plus bb is 187, totaling 443)

Remember that network protocols use big-endian byte order, meaning the most significant byte comes first when interpreting multi-byte fields.

Summary

In this lab, you have learned to utilize Wireshark's tshark command-line tool for analyzing packet captures and examining hexadecimal data. The exercises demonstrated reading PCAP files with the -r option to view basic packet information and using the -x flag for detailed hexadecimal dumps.

You explored how these techniques enable comprehensive network traffic analysis, from observing TCP handshakes to inspecting raw packet data at the byte level. The combination of packet summaries with hexadecimal and ASCII representations provides powerful capabilities for network troubleshooting and protocol examination.