Use Two-Pass Analysis in Tshark

Introduction

In this lab, you will learn to perform two-pass analysis using tshark, Wireshark's command-line tool, to analyze network traffic from a PCAP file. You'll practice using key options like -r for file reading, -2 for two-pass mode, and -V for verbose output while examining TCP acknowledgment packets with display filters.

The exercises will guide you through fundamental to advanced tshark operations, including file verification, protocol dissection enhancement through two-pass analysis, and interpretation of network traffic patterns. These practical skills will help you conduct more accurate and efficient network analysis using tshark's powerful features.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/packet_capture("Packet Capture") wireshark/WiresharkGroup -.-> wireshark/display_filters("Display Filters") wireshark/WiresharkGroup -.-> wireshark/protocol_dissection("Protocol Dissection") wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") wireshark/WiresharkGroup -.-> wireshark/commandline_usage("Command Line Usage") subgraph Lab Skills wireshark/packet_capture -.-> lab-548940{{"Use Two-Pass Analysis in Tshark"}} wireshark/display_filters -.-> lab-548940{{"Use Two-Pass Analysis in Tshark"}} wireshark/protocol_dissection -.-> lab-548940{{"Use Two-Pass Analysis in Tshark"}} wireshark/packet_analysis -.-> lab-548940{{"Use Two-Pass Analysis in Tshark"}} wireshark/commandline_usage -.-> lab-548940{{"Use Two-Pass Analysis in Tshark"}} end

Open File with -r capture.pcap

In this step, you will learn how to open and examine a packet capture file using Wireshark's command-line tool tshark. This fundamental skill is essential for analyzing pre-recorded network traffic before moving on to more advanced analysis techniques.

The -r option is one of tshark's most frequently used parameters. It stands for "read" and specifies that tshark should process packets from a file rather than capturing live network traffic. We'll be working with a sample file named capture.pcap that contains recorded network communication data.

Before we begin, let's understand what we're working with:

A .pcap file is a standard format for storing captured network packets
The file contains raw network traffic data that we'll analyze
Using a saved capture file allows us to study network behavior without needing live traffic

Follow these steps carefully:

First, navigate to the directory containing our capture file:

cd ~/project

Verify the capture file exists and check its properties:

ls -l capture.pcap

You should see output similar to:

-rw-r--r-- 1 labex labex 12345 Jan 1 00:00 capture.pcap

This confirms the file exists and shows its size and permissions.

Now, let's open and display the capture file contents:

tshark -r capture.pcap

This command reads the file and displays a summary of each captured packet in your terminal. Each line represents one network packet, showing basic information like timestamp, source/destination addresses, and protocol.

For beginners: When starting with packet analysis, working with saved capture files is often easier than dealing with live traffic. The -r option gives us this capability. In the next steps, we'll learn how to filter and analyze specific aspects of this traffic.

Enable Two-Pass with -2

In this step, we'll explore how to use Wireshark's tshark in two-pass analysis mode by adding the -2 option. This powerful feature makes tshark process the capture file twice, significantly improving protocol analysis accuracy and display filter results.

For those new to packet analysis: Normally, tshark reads packets sequentially just once. Two-pass mode changes this by:

First pass: Quickly scans the entire file to build protocol relationships and dependencies
Second pass: Carefully analyzes each packet with full context from the first pass

You'll want to use two-pass mode when:

Working with complex protocols where later packets explain earlier ones
Applying sophisticated display filters that need full packet context
Generating precise protocol statistics and summaries

Let's practice with our sample capture file:

First, navigate to the project directory (if you're continuing from previous steps):

cd ~/project

Now execute tshark with two-pass analysis enabled:

tshark -2 -r capture.pcap

Understanding what happens: The -2 flag activates the dual scanning process. During the first pass, tshark notes important protocol details like TCP sequence numbers and session states. In the second pass, it uses this information to properly reconstruct conversations and apply filters accurately. This is particularly valuable for protocols like TCP where acknowledgments affect how we interpret data packets.

Filter Responses with -R "tcp.flags.ack==1"

In this step, we'll explore how to filter TCP ACK packets using Wireshark's powerful display filtering capabilities. The -R option in Tshark lets us apply these filters to analyze captured network traffic. This is particularly useful when you want to focus on specific types of packets, like TCP acknowledgments.

TCP ACK packets play a crucial role in network communication. Whenever your computer receives data through a TCP connection, it sends back these acknowledgment packets to confirm successful receipt. By filtering for them, we can study how systems confirm data delivery.

Let's walk through the process step by step:

First, we need to navigate to our working directory where the capture file is stored:

cd ~/project

Now we'll use Tshark with the two-pass analysis (-2) option and apply our ACK filter:

tshark -2 -r capture.pcap -R "tcp.flags.ack==1"

Breaking down what's happening in this command:

-2 enables two-pass analysis for more accurate results
-r capture.pcap specifies our input capture file
-R "tcp.flags.ack==1" applies our display filter for ACK packets

Key points to understand:

The -R option tells Tshark to only show packets matching our filter criteria
tcp.flags.ack==1 precisely matches packets where the TCP ACK flag is set to 1 (true)
TCP ACKs are normal protocol behavior - they don't necessarily indicate problems
Two-pass analysis (-2) helps ensure accurate protocol dissection and filtering

After running the command, you'll see output containing only TCP packets with the ACK flag set. A typical line looks like:

1 0.000000 192.168.1.1 → 192.168.1.2 TCP 54 443 → 49234 [ACK] Seq=1 Ack=1 Win=64240 Len=0

This shows the packet number, timestamp, source/destination IPs, ports, and TCP-specific information including the [ACK] flag we filtered for.

Display Results with -V

In this step, we'll explore how to view comprehensive packet details using Wireshark's -V (verbose) option. When analyzing network traffic, understanding the complete structure of packets is crucial. The -V flag helps by displaying the full protocol hierarchy and all field values, which is especially useful when examining TCP ACK packets from our previous filtering.

The verbose output (-V) reveals three key aspects of each packet:

Complete protocol breakdown showing how different layers encapsulate each other
Every field value within these protocols, including technical details often hidden in default views
Clear hierarchical organization that mirrors how protocols actually stack in network communication

Let's execute this step-by-step:

First, navigate to our working directory where the capture file is stored. This ensures we can access our packet capture data:

cd ~/project

Now run the command with verbose output for our filtered ACK packets. Notice we're combining the two-pass analysis (-2) with our previous filter (-R) and adding -V:

tshark -2 -r capture.pcap -R "tcp.flags.ack==1" -V

For those new to packet analysis:

The -V option activates "verbose" mode, like switching from a book's table of contents to reading full chapters
Unlike the default view that shows basic packet summaries, verbose mode exposes all technical details
Output organizes information by protocol layers (Ethernet → IP → TCP etc.), exactly how packets are structured
You'll see specific values for each protocol field, helping understand exactly what's happening in the network exchange

Here's what to expect in the output (simplified example):

Frame 1: 54 bytes on wire...
Ethernet II, Src: aa:bb:cc:dd:ee:ff...
Internet Protocol Version 4, Src: 192.168.1.1...
Transmission Control Protocol, Src Port: 443...
    [ACK] Seq=1 Ack=1 Win=64240 Len=0
    [TCP Flags: ·······A····]

Summary

In this lab, you have learned to perform two-pass packet analysis using Wireshark's tshark command-line tool. The process involved reading packets from a capture file (capture.pcap) using the -r option and verifying its location before analysis.

You explored the two-pass mode enabled by -2 option, which enhances protocol analysis accuracy by scanning packets twice. This technique proves particularly useful for complex filters and protocols requiring contextual information from subsequent packets.