N ETWORK

PENETRATION
TESTING

Ignite Technologies
 Ignite Technologies
Where we are today

What is Network Traffic?

Introduction to TShark

TShark
.

Capture Traffic

Read & Write in a File

Output Format & Display Filters

Endpoints Analysis
 Ignite Technologies

“Network traffic or the Data traffic is the amount of data

transferred across the network at some given point of time.”

Network Data Network Data Packets

Therefore, analyzing such network packets thus provides up

network security as it helps us to monitor traffic i.e. What is
Network Traffic?
.

Unusual Amount
of Data Traffic

Possibility of
an attack !!

“Network traffic volume is the measure of the total work done i.e.
the average data traffic intensity and time period of its network
data packet study.”

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 3
Endpoints Analysis
 Ignite Technologies

“TShark a console version of WireShark, which is used as a

network analyzer which thus analyze real-time network traffic”

TShark Features
Has the most powerful command-line, which can Introduction to
do anything that WireShark does
TShark
.

It has powerful decoders and filters.

It is capable of capturing data packets
information of different network layers and thus
display them in different formats.
It can read .pcap files to analyze the information
and thus dig into the details of those connections.

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 4
Endpoints Analysis
 “TShark comes pre-installed in Kali Linux”. So, Let’s Start !! Ignite Technologies

Help Command List Interface

tshark -h Prints a list of all the interfaces whose

traffic it can capture.

tshark -D

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters Endpoints Analysis
Basic Capture Ignite Technologies

ping www.hackingarticles.in

Capture Traffic .

tshark -i eth0

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 6
Endpoints Analysis
 Ignite Technologies
Promiscuous mode
Promiscuous mode is used as an interface controller that causes tshark to pass all the traffic it
receives to the CPU, rather than passing the frames.
This mode is normally used for packet sniffing, that can take place on a router or on a computer
connected to a wired network or a part of LAN.
1

ping www.hackingarticles.in

ifconfig eth0 promisc

tshark -i eth0

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters Endpoints Analysis
 Ignite Technologies

The ‘-c’ parameter will only capture the exact amount of

data that we require and will display them..

tshark -i eth0 -c 10

Packet Count .

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 8
Endpoints Analysis
 Ignite Technologies

The [-w] or the write option, writes raw packet data output to a
standard .pcap file.

tshark -i eth0 -c 10 -w packets.pcap

The [-r] or the read option, help us to read the raw output data
packets in our desired manner.

tshark -r packets.pcap
Read & Write .

in a file

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 9
Endpoints Analysis
 Ignite Technologies

Tshark provides us an option to save decoded packets in various

output formats i.e. It sets the format of the output so that it
becomes easy to understand.

tshark -T x

Output Formats .

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 10
Endpoints Analysis
 Ignite Technologies
PDML

PDML stands for Packet Details Mark-Up Language which is an XML

based output format.

tshark -r packets.pcap -T pdml

Output Formats .

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 11
Endpoints Analysis
 Ignite Technologies
PS
PS stands for PostScript, here output is in the form of one-liner
summary of each data packets.

tshark -r packets.pcap -T ps

Output Formats .

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 12
Endpoints Analysis
 Ignite Technologies
JSON
JSON stands for Java-Script Object Notation, which is an open
standard file format that displays text in a readable form.

tshark -r packets.pcap -T json

Output Formats .

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 13
Endpoints Analysis
 Ignite Technologies
Text
Text is a human-readable one lines summary of each of the packets.

tshark -r packets.pcap -T text

Output Formats .

To Read more surf @Hacking Articles

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 14
Endpoints Analysis
 Ignite Technologies

But why we need to do the decoding?

When we write the live data packets in a .pcap format file; we
compress all that data packets in smaller segments.
To better understand these data packets, we decode them which
leads to a difference in the size of the file. Output
. Formats .

ls -lh packets.p*

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters PAGE 15
Endpoints Analysis
 Ignite Technologies
Converting PDML to an HTML Page
Save the data packets in PDML format and then convert it into an XML file

tshark -r packets.pcap -T pdml > packets.xml

Use xsltproc tool to execute this file it which will help us to create our HTML page.

xsltproc /usr/share/wireshark/pdml2html.xsl packets.xml > packets.html

Open the HTML page in the browser

firefox packets.html &

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters Endpoints Analysis
 Ignite Technologies
TShark collects different types of Statistics and displays their result
after finishing the reading of the captured file.

Endpoints Analysis
TShark creates a table that will list of all the endpoints that could be
seen in the captured file.
The list of Endpoints that are supported by TShark is: Endpoints
. Analysis .

Refer the complete list from here.

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters Endpoints Analysis
PAGE 17
 Ignite Technologies

Endpoints Analysis

tshark -r wlan.pcap -z endpoints,wlan -q | head

Endpoints
. Analysis .

Network Traffic Introduction to TShark Capture Traffic Read & Write in File Output Formats & Display Filters Endpoints Analysis
PAGE 18
 Ignite Technologies

Ignite Technologies

www.ignitetechnologies.in
.

[email protected]
+91 959 938 7841
THANK YOU

Ignite Technologies