analysis-tshark
Network protocol analyzer and packet capture tool for traffic analysis, security investigations, and forensic examination using Wireshark's command-line interface. Use when: (1) Analyzing network traffic for security incidents and malware detection, (2) Capturing and filtering packets for forensic analysis, (3) Extracting credentials and sensitive data from network captures, (4) Investigating network anomalies and attack patterns, (5) Validating encryption and security controls, (6) Performing protocol analysis for vulnerability research.
What this skill does
# TShark Network Protocol Analyzer ## Overview TShark is the command-line network protocol analyzer from the Wireshark project. It provides powerful packet capture and analysis capabilities for security investigations, forensic analysis, and network troubleshooting. This skill covers authorized security operations including traffic analysis, credential extraction, malware detection, and forensic examination. **IMPORTANT**: Network packet capture may expose sensitive information and must only be conducted with proper authorization. Ensure legal compliance and privacy considerations before capturing network traffic. ## Quick Start Basic packet capture and analysis: ```bash # Capture packets on interface sudo tshark -i eth0 # Capture 100 packets and save to file sudo tshark -i eth0 -c 100 -w capture.pcap # Read and analyze capture file tshark -r capture.pcap # Apply display filter tshark -r capture.pcap -Y "http.request.method == GET" # Extract HTTP objects tshark -r capture.pcap --export-objects http,extracted_files/ ``` ## Core Workflow ### Network Analysis Workflow Progress: [ ] 1. Verify authorization for packet capture [ ] 2. Identify target interface and capture requirements [ ] 3. Capture network traffic with appropriate filters [ ] 4. Analyze captured packets for security indicators [ ] 5. Extract artifacts (files, credentials, sessions) [ ] 6. Document findings and security implications [ ] 7. Securely handle and store capture files [ ] 8. Clean up sensitive data per retention policy Work through each step systematically. Check off completed items. ### 1. Authorization Verification **CRITICAL**: Before any packet capture: - Confirm written authorization for network monitoring - Verify legal compliance (wiretapping laws, privacy regulations) - Understand data handling and retention requirements - Document scope of capture (interfaces, duration, filters) - Ensure secure storage for captured data ### 2. Interface Discovery Identify available network interfaces: ```bash # List all interfaces tshark -D # List with interface details sudo tshark -D # Capture on specific interface sudo tshark -i eth0 sudo tshark -i wlan0 # Capture on any interface sudo tshark -i any # Capture on multiple interfaces sudo tshark -i eth0 -i wlan0 ``` **Interface types**: - **eth0/ens33**: Ethernet interface - **wlan0**: Wireless interface - **lo**: Loopback interface - **any**: All interfaces (Linux only) - **mon0**: Monitor mode interface (wireless) ### 3. Basic Packet Capture Capture network traffic: ```bash # Capture indefinitely (Ctrl+C to stop) sudo tshark -i eth0 # Capture specific number of packets sudo tshark -i eth0 -c 1000 # Capture for specific duration (seconds) sudo tshark -i eth0 -a duration:60 # Capture to file sudo tshark -i eth0 -w capture.pcap # Capture with ring buffer (rotate files) sudo tshark -i eth0 -w capture.pcap -b filesize:100000 -b files:5 ``` **Capture options**: - `-c <count>`: Capture packet count - `-a duration:<sec>`: Auto-stop after duration - `-w <file>`: Write to file - `-b filesize:<KB>`: Rotate at file size - `-b files:<num>`: Keep N ring buffer files ### 4. Capture Filters Apply BPF (Berkeley Packet Filter) during capture for efficiency: ```bash # Capture only HTTP traffic sudo tshark -i eth0 -f "tcp port 80" # Capture specific host sudo tshark -i eth0 -f "host 192.168.1.100" # Capture subnet sudo tshark -i eth0 -f "net 192.168.1.0/24" # Capture multiple ports sudo tshark -i eth0 -f "tcp port 80 or tcp port 443" # Exclude specific traffic sudo tshark -i eth0 -f "not port 22" # Capture SYN packets only sudo tshark -i eth0 -f "tcp[tcpflags] & tcp-syn != 0" ``` **Common capture filters**: - `host <ip>`: Traffic to/from IP - `net <cidr>`: Traffic to/from network - `port <port>`: Specific port - `tcp|udp|icmp`: Protocol type - `src|dst`: Direction filter - `and|or|not`: Logical operators ### 5. Display Filters Analyze captured traffic with Wireshark display filters: ```bash # HTTP requests only tshark -r capture.pcap -Y "http.request" # HTTP responses tshark -r capture.pcap -Y "http.response" # DNS queries tshark -r capture.pcap -Y "dns.flags.response == 0" # TLS handshakes tshark -r capture.pcap -Y "tls.handshake.type == 1" # Suspicious traffic patterns tshark -r capture.pcap -Y "tcp.flags.syn==1 and tcp.flags.ack==0" # Failed connections tshark -r capture.pcap -Y "tcp.flags.reset==1" ``` **Advanced display filters**: ```bash # HTTP POST requests with credentials tshark -r capture.pcap -Y "http.request.method == POST and (http contains \"password\" or http contains \"username\")" # SMB file transfers tshark -r capture.pcap -Y "smb2.cmd == 8 or smb2.cmd == 9" # Suspicious User-Agents tshark -r capture.pcap -Y "http.user_agent contains \"python\" or http.user_agent contains \"curl\"" # Large data transfers tshark -r capture.pcap -Y "tcp.len > 1400" # Beaconing detection (periodic traffic) tshark -r capture.pcap -Y "http" -T fields -e frame.time_relative -e ip.dst ``` ### 6. Protocol Analysis Analyze specific protocols: **HTTP/HTTPS Analysis**: ```bash # Extract HTTP requests tshark -r capture.pcap -Y "http.request" -T fields -e ip.src -e http.host -e http.request.uri # Extract HTTP User-Agents tshark -r capture.pcap -Y "http.user_agent" -T fields -e ip.src -e http.user_agent # HTTP status codes tshark -r capture.pcap -Y "http.response" -T fields -e ip.src -e http.response.code # Extract HTTP cookies tshark -r capture.pcap -Y "http.cookie" -T fields -e ip.src -e http.cookie ``` **DNS Analysis**: ```bash # DNS queries tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e ip.src -e dns.qry.name # DNS responses tshark -r capture.pcap -Y "dns.flags.response == 1" -T fields -e dns.qry.name -e dns.a # DNS tunneling detection (long domain names) tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | awk 'length > 50' # DNS query types tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.type -e dns.qry.name ``` **TLS/SSL Analysis**: ```bash # TLS handshakes tshark -r capture.pcap -Y "tls.handshake.type == 1" -T fields -e ip.src -e ip.dst -e tls.handshake.extensions_server_name # TLS certificates tshark -r capture.pcap -Y "tls.handshake.certificate" -T fields -e tls.handshake.certificate # SSL/TLS versions tshark -r capture.pcap -Y "tls" -T fields -e tls.record.version # Weak cipher suites tshark -r capture.pcap -Y "tls.handshake.ciphersuite" -T fields -e tls.handshake.ciphersuite ``` **SMB/CIFS Analysis**: ```bash # SMB file access tshark -r capture.pcap -Y "smb2" -T fields -e ip.src -e smb2.filename # SMB authentication tshark -r capture.pcap -Y "ntlmssp" -T fields -e ip.src -e ntlmssp.auth.username # SMB commands tshark -r capture.pcap -Y "smb2" -T fields -e smb2.cmd ``` ### 7. Credential Extraction Extract credentials from network traffic (authorized forensics only): **HTTP Basic Authentication**: ```bash # Extract HTTP Basic Auth credentials tshark -r capture.pcap -Y "http.authbasic" -T fields -e ip.src -e http.authbasic # Decode Base64 credentials tshark -r capture.pcap -Y "http.authorization" -T fields -e http.authorization | base64 -d ``` **FTP Credentials**: ```bash # Extract FTP usernames tshark -r capture.pcap -Y "ftp.request.command == USER" -T fields -e ip.src -e ftp.request.arg # Extract FTP passwords tshark -r capture.pcap -Y "ftp.request.command == PASS" -T fields -e ip.src -e ftp.request.arg ``` **NTLM/Kerberos**: ```bash # Extract NTLM hashes tshark -r capture.pcap -Y "ntlmssp.auth.ntlmv2response" -T fields -e ntlmssp.auth.username -e ntlmssp.auth.domain -e ntlmssp.auth.ntlmv2response # Kerberos tickets tshark -r capture.pcap -Y "kerberos.CNameString" -T fields -e kerberos.CNameString -e kerberos.realm ``` **Email Credentials**: ```bash # SMTP authentication tshark -r capture.pcap -Y "smtp.req.command == AUTH" -T fields -e ip.src # POP3 credentials tshark -r capture.pcap -Y "pop.request.command == USER or pop.request.comman
Related in offsec
privesc-linpeas
IncludedLinux privilege escalation enumeration and attack surface analysis using LinPEAS (Linux Privilege Escalation Awesome Script). Automates post-exploitation discovery of escalation vectors, misconfigurations, and credential exposure on Linux targets. Use when: (1) Enumerating privilege escalation vectors after initial access on a Linux system, (2) Identifying SUID/SGID binaries, sudo misconfigurations, and capability abuses, (3) Hunting for credentials in config files, history, and logs, (4) Detecting container breakout opportunities and writable service files, (5) Mapping kernel exploits and CVE exposure for a target system, (6) Conducting authorized CTF, red team, or penetration test post-exploitation phases.
analysis-tshark
IncludedNetwork protocol analyzer and packet capture tool for traffic analysis, security investigations, and forensic examination using Wireshark's command-line interface. Use when: (1) Analyzing network traffic for security incidents and malware detection, (2) Capturing and filtering packets for forensic analysis, (3) Extracting credentials and sensitive data from network captures, (4) Investigating network anomalies and attack patterns, (5) Validating encryption and security controls, (6) Performing protocol analysis for vulnerability research.
crack-hashcat
IncludedAdvanced password recovery and hash cracking tool supporting multiple algorithms and attack modes. Use when: (1) Performing authorized password auditing and security assessments, (2) Recovering passwords from captured hashes in forensic investigations, (3) Testing password policy strength and complexity, (4) Validating encryption implementations, (5) Conducting security research on cryptographic hash functions, (6) Demonstrating password weakness in penetration testing reports.
network-netcat
IncludedNetwork utility for reading and writing data across TCP/UDP connections, port scanning, file transfers, and backdoor communication channels. Use when: (1) Testing network connectivity and port availability, (2) Creating reverse shells and bind shells for authorized penetration testing, (3) Transferring files between systems in restricted environments, (4) Banner grabbing and service enumeration, (5) Establishing covert communication channels, (6) Testing firewall rules and network segmentation.
pentest-metasploit
IncludedPenetration testing framework for exploit development, vulnerability validation, and authorized security assessments using Metasploit Framework. Use when: (1) Validating vulnerabilities in authorized security assessments, (2) Demonstrating exploit impact for security research, (3) Testing defensive controls in controlled environments, (4) Conducting authorized penetration tests with proper scoping and authorization, (5) Developing post-exploitation workflows for red team operations.
recon-nmap
IncludedNetwork reconnaissance and security auditing using Nmap for port scanning, service enumeration, and vulnerability detection. Use when: (1) Conducting authorized network reconnaissance and asset discovery, (2) Enumerating network services and identifying running versions, (3) Detecting security vulnerabilities through NSE scripts, (4) Mapping network topology and firewall rules, (5) Performing compliance scanning for security assessments, (6) Validating network segmentation and access controls.