# Networking Programming - Wireshark and TShark ## Wireshark ### What is Wireshark? <div style="text-align:center; margin-bottom: 50px;"> <img src="https://hackmd.io/_uploads/HkXMIn-Oa.jpg" alt="iot_api_platform-1024x768" width="400" /> </div> Wireshark functions as a network packet and protocol analyzer, proficient in capturing and displaying detailed packet data. Its primary role is to capture network packets, striving to present the packet information in the most comprehensive manner possible. Widely regarded as one of the top open-source packet analyzers, Wireshark is highly esteemed for its effectiveness on both UNIX and Windows platforms. Formerly known as Ethereal, Wireshark offers a versatile approach to traffic analysis, allowing users to delve into the intricacies of network communication at different levels. It enables examination ranging from connection-level details to the binary bits constituting individual packets. Through packet capture, Wireshark provides a wealth of information to network administrators, including transmit time, source and destination addresses, protocol types, and header data for each packet. This granular packet-level insight proves invaluable for evaluating security events and effectively troubleshooting issues related to network security devices. ### Fact About Wireshark Here is important points about wireshark : 1. Network administrators find Wireshark indispensable for **troubleshooting** various network issues, relying on its comprehensive features to **identify** and resolve problems efficiently. 2. Network security engineers utilize Wireshark as a powerful tool for **scrutinizing and addressing** security concerns within the network infrastructure. 3. Developers employ Wireshark to **debug protocol** implementations in IT projects, leveraging its capabilities to ensure the smooth operation of their developed systems. 4. Wireshark **serves as a valuable resource** for individuals keen on understanding the intricate details of network protocol internals, offering a practical and hands-on approach to learning. 5. Despite its robust capabilities, it's important to clarify that Wireshark is **not** intended to function as an **intrusion detection system**. It operates solely as an observational tool, providing insights into network activities without manipulating network elements. ### Component in Wireshark #### IP Address An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer, printer or device) participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing. #### MAC Address A media access control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used as a network address for most IEEE 802 network technologies, including Ethernet and WiFi. #### Ports In programming, a port (noun) is a "logical connection place" and specifically, using the Internet's protocol, TQ/ IP, the way a client program specifies a particular server program on a computer in a network. ### TCP/IP Model Layers and Protocols The TCP/IP model comprises various layers, each associated with specific protocols: 1. **Application Layer Protocols**: Protocols like HTTP, HTTPS, SMTP, Secure Socket Shell (SSH), and others are situated at this layer, facilitating communication between software applications. 2. **Transport Layer Protocols**: TCP and User Datagram Protocol (UDP) are positioned in this layer. TCP operates in a connection-oriented (stateful) manner, while UDP is connectionless (stateless). When capturing TCP packets, one can observe handshakes involving SYN and ACK messages, interleaved with data to ensure reliable packet delivery. These units are commonly referred to as datagrams. 3. **Internet Layer Protocols**: This layer manages communication and logical addressing, primarily IP addresses. While this discussion focuses on IP, other protocols also exist within this layer. The units of data at this layer are typically called packets. 4. **Network Link Layer Data**: Displaying Ethernet information, including frame types, source and destination MAC addresses, this layer is responsible for handling network link details. The units of data at this layer are commonly referred to as frames. ### Tab in Wireshark <div style="text-align:center; margin-bottom: 50px;"> <img src="https://hackmd.io/_uploads/S1x0N2EGOT.png" alt="iot_api_platform-1024x768" width="500" /> </div> Information in Tab Wireshark : 1. No. shows the number of captured packet or index number. 2. Time shows the time of capture 3. Source shows the source ip of the packet or the packet is originally generated from which source ip. 4. Destination shows the destination ip where the packet is going. 5. Protocol shows the which kind of protocol communication is held between the source and destination. 6. Info shows the data payload in the packet. ### Run Wireshark Here, I will try to run Wireshark on the Ubuntu Linux operating system. The following are the steps: 1. Install Wireshark on Ubuntu by executing the command `sudo apt install wireshark` <div style="text-align:center; margin-bottom: 50px;"> <img src="https://hackmd.io/_uploads/Hy-27YH_p.png" alt="install wireshark" width="400" /> </div> 2. After successfully installing it, we can open Wireshark by typing the command `wireshark` in the terminal, and the application will launch. <div style="text-align:center; margin-bottom: 30px;"> <img src="https://hackmd.io/_uploads/HJy84trdT.png" alt="command open wireshark" width="300" /> </div> <div style="text-align:center; margin-bottom: 50px;"> <img src="https://hackmd.io/_uploads/S1-xvYSup.png" alt="home wireshark" width="500" /> </div> 3. Because we are using a Wi-Fi connection here, the interface wlx... is selected, indicating that it is the Wi-Fi connection in use. Then, traffic connection will show up : <div style="text-align:center; margin-bottom: 50px;"> <img src="https://hackmd.io/_uploads/SyHPdFH_a.png" alt="home wireshark" width="600" /> </div> Explanation Top Use Menu : - File -> Open: Opens a packet capture file for analysis. - View -> Time Display Format: Changes the format, switches between absolute and relative timestamps, and adjusts precision in the packet list pane. - View -> Name Resolution: Allows Wireshark to resolve names from addresses at different protocol layers for improved readability. - Capture -> Interfaces: Available network interfaces for capture, show total packets per interface, and show packet rate per interface. - Capture -> Options: Set various capture parameters. - Analyze -> Follow TCP Stream: Applies a filter to follow a single tcp conversation within the trace and Displays the reassembiled data section of each packet in the conversation. - Statistics -> Protocol Hierarchy: Presents descriptive statistics per protocol, Useful for determining the types, amounts, and relative proportions of protocols within a trace. - Statistics -> Conversations: Generates descriptive statistics about each conversation for each protocol in the trace. - Statistics -> Flow Graph: Generates a sequence graph for the selected traffic and Useful for understanding seq. and ack calculations. 4. Next, we need to understand the various components of Wireshark from the picture below : <div style="text-align:center; margin-bottom: 50px;"> <img src="https://hackmd.io/_uploads/B1KxniIOp.png" alt="home wireshark" width="600" /> </div> Explanation **Packet List** - The Packet List displays all the packets in the trace in the order they were recorded. - Columns include: - Time: Timestamp of when the packet crossed the interface. - Source: The originating host of the packet. - Destination: The host to which the packet was sent. - Protocol: The highest level protocol detected by Wireshark. - Length: The length in bytes of the packet on the wire. - Info: An informational message related to the protocol in the protocol column. - Default Coloring: - Gray : TCP packets - Black with red letters : TCP Packets with errors - Green : HTTP Packets - Light Blue : UDP Packets - Pale Blue : ARP Packets - Lavender : ICMP Packets - Black with green letters : ICMP Packets with errors Explanation **Packet Details**: - Detailed information about the currently selected packet is - Displayed in the packet details pane. - All packet layers are displayed in the tree menu. - Any portion of any layer can be exported via a right click and selecting Export Selected Packet Bytes. Explanation **Packet Bytes**: - Displays the raw packet bytes. - The selected packet layer is highlighted. 5. Capture Network Traffic Initiate the capture process by clicking the start button adjacent to the preferred interface, and the captured network traffic will be promptly showcased in the packet list pane and when completing the data capture in Wireshark, the subsequent actions involve stopping the capture and saving the acquired information. To cease the capture process, one can go to the "Capture" menu and select "Stop." This halts the ongoing capture and allows users to proceed with the analysis. like picture below : <div style="text-align:center; margin-bottom: 50px;"> <img src="https://hackmd.io/_uploads/Hyf-SqruT.png" alt="home wireshark" width="600" /> </div> ### Analyst Header Network Traffic Wireshark presents its output by displaying information from the bottom of the TCP/IP model upwards. Frame information, representing the bottom of the TCP/IP model, is positioned at the top of the pane in the lower left section of the Wireshark screen. Understanding the headers in captured frames is crucial for troubleshooting network issues. By relating these headers to the TCP/IP model, troubleshooters can gain insights into the layers at which problems might occur, aiding in the identification of potential culprits. Here, will conduct an analysis of some packet protocol : - **Frame content** The frame section offers Ethernet details, including frame size, capture timestamp, and the specific physical interface where the frame was recorded. Problems may arise if devices struggle with frames exceeding standard size limits. Troubleshooters can use this information to verify the interface through which the data was captured, ensuring that information flows correctly through the designated connection. This insight proves valuable for identifying and resolving issues related to frame size compatibility and confirming the proper routing of information across network interfaces. <div style="text-align:center; margin-bottom: 50px;"> <img src="https://hackmd.io/_uploads/BJmEy5wOT.png" alt="frame content" width="600" /> </div> - **Ethernet content** Moving on to the Ethernet II content, this section includes details like source and destination MAC addresses. The local MAC address serves as either the source or destination address, depending on the frame's direction. The other MAC address corresponds to the next network device in the communication chain. Confirming the accuracy of MAC addresses is crucial for addressing security concerns, such as potential threats like Address Resolution Protocol (ARP) poisoning or spoofing. Troubleshooters can use this information to verify the correct association of MAC addresses, ensuring the security and integrity of the network. <div style="text-align:center; margin-bottom: 50px;"> <img src="https://hackmd.io/_uploads/Hkody5Dd6.png" alt="ethernet content" width="600" /> </div> - **IP content** ![image](https://hackmd.io/_uploads/BydECJBD0.png) Proceeding to the IP section, it includes crucial details such as source and destination IP addresses along with port numbers. In the majority of networks, the address structure is IPv4. Additionally, the time-to-live information is present in this section, as well as fragmentation instructions. We can use this information to validate the correctness and conformity of the IP addresses in accordance with established rules. <div style="text-align:center; margin-bottom: 50px;"> <img src="https://hackmd.io/_uploads/HyFs1qvuT.png" alt="ip content" width="500" /> </div> - **Transport content** The transport layer section still provides critical information. It indicates whether TCP or UDP is in use, with TCP employing a three-way handshake for effective data exchange. Additionally, this section displays source and destination ports. When packets originate from the server, the destination port corresponds to the client's dynamically generated port number falling between 1,024 and 65,535. Conversely, when packets originate from a client, the destination port corresponds to the service port number, such as 80 or 443 for HTTP or HTTPS. It is imperative to confirm that both server and client utilize the correct port numbers to ensure seamless communication. <div style="text-align:center; margin-bottom: 50px;"> <img src="https://hackmd.io/_uploads/rJyxlqv_T.png" alt="transport content" width="500" /> </div> - Application content At the bottom of the Packet Details pane, representing the top of the TCP/IP model, is the application layer information. Tailored to each service and protocol, this data includes specific details. For example, in HTTP, you may find instructions like GET or webpage contents. Similar details are visible for SMTP, Post Office Protocol 3, Internet Message Access Protocol, SSH, network file sharing, DNS, and others. Since applications are configured for specific ports, there's limited room for misconfiguration. <div style="text-align:center; margin-bottom: 50px;"> <img src="https://hackmd.io/_uploads/ByPVgqwO6.png" alt="transport content" width="600" /> </div> ### Analyze payload data Wireshark's Packet Bytes pane, located in the bottom lower or lower-right corner, reveals the payload, which often comprises the end-user data concerning security professionals. In the case of unencrypted protocols like HTTP, Telnet, SMTP, and others, the payload lacks confidentiality protection, making the data visible in this window. A practical illustration involves using Telnet in tech courses, where the password is openly displayed in this pane. This underscores the significance of encrypted protocols such as HTTPS, SSH, and the utilization of IPsec. These measures are crucial for encrypting data, especially for protocols that inherently lack built-in encryption. <div style="text-align:center; margin-bottom: 50px;"> <img src="https://hackmd.io/_uploads/BJmEy5wOT.png" alt="frame content" width="600" /> </div> ## TShark ### What is TShark? <div style="text-align:center; margin-bottom: 50px;"> <img src="https://hackmd.io/_uploads/HkMb_OGuT.png" alt="iot_api_platform-1024x768" width="400" /> </div> TShark is a terminal oriented version of Wireshark designed for capturing and displaying packets when an interactive user interface isn’t necessary or available. It lets to capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark's native capture file format is libpcap format, which is also the format used by tcpdump and various other tools. Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on stdout for each received packet. TShark is able to detect, read and write the same capture files that are supported by Wireshark ### Run TShark Here, I will try to run TShark on the Terminal Ubuntu Linux operating system. The following are the steps : 1. Install TShark on Ubuntu by executing the command `sudo apt install tshark` output: ``` root@ubuntu:~# sudo apt install tshark Reading package lists... Done Building dependency tree Reading state information... Done tshark is already the newest version (4.2.5-1~ubuntu20.04.0~ppa1). 0 upgraded, 0 newly installed, 0 to remove and 48 not upgraded. ``` 1. After successfully installing it, we can open TShark by typing the command `sudo tshark -D` in the terminal, and tshark can show interface available for capture network. output: ``` root@ubuntu:~# sudo tshark -D Running as user "root" and group "root". This could be dangerous. 1. veth07852fed 2. veth34ace0ef 3. docker0 4. cni0 5. veth6e8884d0 6. vethff620e0c 7. vethfa17ece0 8. veth55f4e0b 9. flannel.1 10. veth32ac2c01 11. veth4d71eec3 12. veth243ebd5 13. veth9234b1b7 14. vethaffc8b7 15. veth2d2de8c8 16. veth2995bac8 17. vethba4d51a8 18. veth40f8f13 19. br-a97b6c753e16 20. vethaa86a17 21. ens18 22. veth8dbeba88 23. vethe8d9eb89 24. vethad33a785 25. veth0884f946 26. vetha7bf3451 27. veth9b630789 28. vethd4691953 29. lo (Loopback) 30. any 31. bluetooth-monitor 32. nflog 33. nfqueue 34. ciscodump (Cisco remote capture) 35. dpauxmon (DisplayPort AUX channel monitor capture) 36. randpkt (Random packet generator) 37. sdjournal (systemd Journal Export) 38. sshdump (SSH remote capture) 39. udpdump (UDP Listener remote capture) 40. wifidump (Wi-Fi remote capture) ``` 3. In this case we use interface "ens18" which is ethernet interface in system. So we can use command `sudo tshark -i ens18` and tshark will capture network in this interface like picture below : ``` root@ubuntu:~# sudo tshark -i cni0 Running as user "root" and group "root". This could be dangerous. Capturing on 'cni0' 1 0.000000000 10.244.0.1 → 10.244.0.174 TCP 74 37866 → 10254 [SYN] Seq=0 Win=64860 Len=0 MSS=1410 SACK_PERM TSval=1123140705 TSecr=0 WS=128 2 0.000013204 10.244.0.1 → 10.244.0.174 TCP 74 56090 → 8100 [SYN] Seq=0 Win=64860 Len=0 MSS=1410 SACK_PERM TSval=1123140705 TSecr=0 WS=128 3 0.000027037 10.244.0.174 → 10.244.0.1 TCP 74 10254 → 37866 [SYN, ACK] Seq=0 Ack=1 Win=64308 Len=0 MSS=1410 SACK_PERM TSval=276597488 TSecr=1123140705 WS=128 4 0.000028295 10.244.0.174 → 10.244.0.1 TCP 74 8100 → 56090 [SYN, ACK] Seq=0 Ack=1 Win=64308 Len=0 MSS=1410 SACK_PERM TSval=276597488 TSecr=1123140705 WS=128 5 0.000039120 10.244.0.1 → 10.244.0.174 TCP 66 37866 → 10254 [ACK] Seq=1 Ack=1 Win=64896 Len=0 TSval=1123140705 TSecr=276597488 6 0.000039707 10.244.0.1 → 10.244.0.174 TCP 66 56090 → 8100 [ACK] Seq=1 Ack=1 Win=64896 Len=0 TSval=1123140705 TSecr=276597488 7 0.000040052 10.244.0.1 → 10.244.0.174 TCP 74 37872 → 10254 [SYN] Seq=0 Win=64860 Len=0 MSS=1410 SACK_PERM TSval=1123140705 TSecr=0 WS=128 8 0.000052119 10.244.0.174 → 10.244.0.1 TCP 74 10254 → 37872 [SYN, ACK] Seq=0 Ack=1 Win=64308 Len=0 MSS=1410 SACK_PERM TSval=276597488 TSecr=1123140705 WS=128 9 0.000063403 10.244.0.1 → 10.244.0.174 TCP 66 37872 → 10254 [ACK] Seq=1 Ack=1 Win=64896 Len=0 TSval=1123140705 TSecr=276597488 10 0.000119709 10.244.0.1 → 10.244.0.174 HTTP 177 GET /readyz HTTP/1.1 11 0.000127709 10.244.0.174 → 10.244.0.1 TCP 66 10254 → 37866 [ACK] Seq=1 Ack=112 Win=64256 Len=0 TSval=276597488 TSecr=1123140705 12 0.000138560 10.244.0.1 → 10.244.0.174 HTTP 182 GET /status/ready HTTP/1.1 13 0.000140349 10.244.0.1 → 10.244.0.174 TCP 74 56102 → 8100 [SYN] Seq=0 Win=64860 Len=0 MSS=1410 SACK_PERM TSval=1123140705 TSecr=0 WS=128 ``` The output from the tshark terminal command provides a detailed log of network activities like in wireshark, but in here version terminal mode. The key components of the output include: - **Time Information**: Each line begins with a timestamp indicating when the corresponding network activity occurred. - **Source and Destination**: Identifies the source and destination IP addresses or MAC addresses involved in the communication. - **Protocol Information**: Specifies the protocol used in each packet (e.g., TCP, ARP, DNS). - **Packet Details**: Displays specific details about each packet, including flags, sequence and acknowledgment numbers, window size, and timestamp values for TCP packets. - **Raw Packet Bytes**: The raw hexadecimal representation of the packet's bytes is provided for in-depth analysis. - **Network Activities**: The output includes various network activities such as TCP connections, ARP requests and replies, and DNS queries and responses. - **wq**: Specifies the interface ("wlx7c3d090080c3" in this case) from which the capture is performed. 1. Use option in tshark Wireshark have many options can we use for analyze capture packet. we can know options in tshark with command `tshark --help`, this command can show all options in thark with each functions. below its populer options can we use in tshark: _ -c (count): Specifies the number of packets to capture or display. Example `tshark -c 10` captures or displays the first 10 packets. _ -D: Lists the available interfaces for capturing traffic. Example `tshark -D` provides a list of available network interfaces. _ -V: Enables verbose output, providing more detailed information about each packet. Example `tshark -V` displays packet details with additional verbose information. _ -i (interface): Specifies the network interface for packet capture. Example `tshark -i ens33` captures packets on the "ens33" interface. _ -r (file): Reads packets from a specified file instead of capturing live traffic. Example `tshark -r capturefile.pcap` analyzes packets from the file "capturefile.pcap." _ -w (file): Writes captured packets to a specified file. Example `tshark -w outputfile.pcap` saves captured packets to the file "outputfile.pcap." \* -f (capture filter): Applies a display filter during packet capture. Example `tshark -f "tcp port 80"` captures only packets with TCP traffic on port 80. In Wireshark, options can be combined to achieve specific goals, allowing users to tailor their packet capture and analysis according to their requirements. For instance, in the provided example command `sudo tshark -i cni0 -c 1 -V`, multiple options are used synergistically. The -i option specifies the network interface for capturing packets, the -c option limits the capture to a specific number of packets (here, just 1 packet), and the -V option enables verbose output, providing detailed information about the captured packet. By combining these options, the user captures a single packet on the specified interface, with detailed verbose information displayed for thorough analysis. ``` root@ubuntu:~# sudo tshark -i cni0 -c 1 -V Running as user "root" and group "root". This could be dangerous. Capturing on 'cni0' Frame 1: 188 bytes on wire (1504 bits), 188 bytes captured (1504 bits) on interface cni0, id 0 Section number: 1 Interface id: 0 (cni0) Interface name: cni0 Encapsulation type: Ethernet (1) Arrival Time: Jul 2, 2024 02:44:33.377617019 UTC UTC Arrival Time: Jul 2, 2024 02:44:33.377617019 UTC Epoch Arrival Time: 1719888273.377617019 [Time shift for this packet: 0.000000000 seconds] [Time delta from previous captured frame: 0.000000000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 0.000000000 seconds] Frame Number: 1 Frame Length: 188 bytes (1504 bits) Capture Length: 188 bytes (1504 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:tls] Ethernet II, Src: 5a:03:83:b5:84:1b (5a:03:83:b5:84:1b), Dst: 0e:7d:14:c3:05:93 (0e:7d:14:c3:05:93) Destination: 0e:7d:14:c3:05:93 (0e:7d:14:c3:05:93) Address: 0e:7d:14:c3:05:93 (0e:7d:14:c3:05:93) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: 5a:03:83:b5:84:1b (5a:03:83:b5:84:1b) Address: 5a:03:83:b5:84:1b (5a:03:83:b5:84:1b) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 10.96.0.1, Dst: 10.244.0.174 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 174 Identification: 0x6d53 (27987) 010. .... = Flags: 0x2, Don't fragment 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set ...0 0000 0000 0000 = Fragment Offset: 0 Time to Live: 64 Protocol: TCP (6) Header Checksum: 0xb6f4 [validation disabled] [Header checksum status: Unverified] Source Address: 10.96.0.1 Destination Address: 10.244.0.174 Transmission Control Protocol, Src Port: 443, Dst Port: 50780, Seq: 1, Ack: 1, Len: 122 Source Port: 443 Destination Port: 50780 [Stream index: 0] [Conversation completeness: Incomplete (0)] ..0. .... = RST: Absent ...0 .... = FIN: Absent .... 0... = Data: Absent .... .0.. = ACK: Absent .... ..0. = SYN-ACK: Absent .... ...0 = SYN: Absent [Completeness Flags: [ Null ]] [TCP Segment Len: 122] Sequence Number: 1 (relative sequence number) Sequence Number (raw): 674182411 [Next Sequence Number: 123 (relative sequence number)] Acknowledgment Number: 1 (relative ack number) Acknowledgment number (raw): 3589127474 1000 .... = Header Length: 32 bytes (8) Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Accurate ECN: Not set .... 0... .... = Congestion Window Reduced: Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······AP···] Window: 9703 [Calculated window size: 9703] [Window size scaling factor: -1 (unknown)] Checksum: 0x16a3 [unverified] [Checksum Status: Unverified] Urgent Pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - Timestamps: TSval 2594897976, TSecr 3862320276 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 2594897976 Timestamp echo reply: 3862320276 [Timestamps] [Time since first frame in this TCP stream: 0.000000000 seconds] [Time since previous frame in this TCP stream: 0.000000000 seconds] [SEQ/ACK analysis] [Bytes in flight: 122] [Bytes sent since last PSH flag: 122] TCP payload (122 bytes) Transport Layer Security TLSv1.2 Record Layer: Application Data Protocol: Hypertext Transfer Protocol Content Type: Application Data (23) Version: TLS 1.2 (0x0303) Length: 117 Encrypted Application Data [truncated]: 757ffda41f22122a75e48f25628db2614b896100322d9bb4e7df9b142544ee3155a56dccb4796f822a7f01bc47be7d2d5c0159533109b184bceb1b44db12af0c7e3772b4b2c20a993489db1a47f03076b793ea0dc188a0720dec11d265cd3e82e97eec0 [Application Data Protocol: Hypertext Transfer Protocol] 1 packet captured ``` The next execution of the command `sudo tshark -i 1 -Y http -O http` is employed to run Tshark, a network protocol analysis utility, with administrative privileges on network interface number 1 is interface wifi. The -Y http option filters only packets associated with the HTTP protocol for display, while the -O http option enables in-depth analysis for HTTP packets, allowing detailed inspection of HTTP header and message content. Consequently, this command provides a comprehensive understanding of HTTP traffic on interface 1, serving purposes such as troubleshooting, monitoring, or network security. ``` root@ubuntu:~# sudo tshark -i 1 -Y http -O http Running as user "root" and group "root". This could be dangerous. Capturing on 'veth07852fed' Frame 10: 312 bytes on wire (2496 bits), 312 bytes captured (2496 bits) on interface veth07852fed, id 0 Ethernet II, Src: da:b8:7f:6a:d0:dc (da:b8:7f:6a:d0:dc), Dst: 62:97:4e:0a:8f:5f (62:97:4e:0a:8f:5f) Internet Protocol Version 4, Src: 10.244.0.172, Dst: 10.244.0.180 Transmission Control Protocol, Src Port: 56780, Dst Port: 8088, Seq: 1, Ack: 1, Len: 246 Hypertext Transfer Protocol GET /metrics HTTP/1.1\r\n [Expert Info (Chat/Sequence): GET /metrics HTTP/1.1\r\n] [GET /metrics HTTP/1.1\r\n] [Severity level: Chat] [Group: Sequence] Request Method: GET Request URI: /metrics Request Version: HTTP/1.1 Host: 10.244.0.180:8088\r\n User-Agent: Prometheus/2.18.1\r\n Accept: application/openmetrics-text; version=0.0.1,text/plain;version=0.0.4;q=0.5,*/*;q=0.1\r\n Accept-Encoding: gzip\r\n X-Prometheus-Scrape-Timeout-Seconds: 10.000000\r\n \r\n [Full request URI: http://10.244.0.180:8088/metrics] [HTTP request 1/1] ``` The provided content represents a captured network packet, specifically an HTTP request, and its unencrypted headers. Here a breakdown of the details: - **Ethernet II Header**: Specifies the source and destination MAC addresses, facilitating communication between devices. - **IPv4 Header**: Identifies the source (192.168.217.5) and destination (34.107.221.82) IP addresses. - **TCP Header**: Specifies the source port (57100) and destination port (80) for the Transmission Control Protocol (TCP) connection. It also indicates the sequence number, acknowledgment number, and data length. - **HTTP Header**: Captures the details of the HTTP request, which is a GET request for "/canonical.html" over HTTP/1.1. It includes information such as the host, user-agent (Mozilla/5.0, Firefox/121.0), accepted content types, cache control, and connection details. This information is readable because HTTP is a plaintext protocol, making its headers and content easily viewable. The request is sent to "detectportal.firefox.com" for the resource "/canonical.html". The headers include details about the user-agent, accepted languages, and encoding preferences. And we can use file for save capture the network, so if we close the program, the capture still save in file and we can open capture network when needed. Here example for this case : ``` root@ubuntu:~# touch capture.pcap root@ubuntu:~# chmod 777 capture.pcap root@ubuntu:~# sudo tshark -i cni0 -w capture.pcap Running as user "root" and group "root". This could be dangerous. Capturing on 'cni0' 474 ^C ``` The provided sequence of commands is a set of instructions executed in a Linux terminal to facilitate network packet capturing. First, the command touch `capture.pcap` ensures the existence of an empty file named "capture.pcap" or updates its timestamps if it already exists. then command `chmod 777 capture.pcap` modifies the file permissions, granting full access to the file for all users, including the owner, group, and others. Command `sudo tshark -i cni0 -w capture.pcap` utilizes the "tshark" network protocol analyzer with superuser privileges to capture network packets. The specified network interface "wlx" is used for the packet capture and the captured data is then written to the "capture.pcap" file. And we can open the file for view capture networks: ``` root@ubuntu:~# tshark -r capture.pcap Running as user "root" and group "root". This could be dangerous. 1 0.000000000 10.244.0.1 → 10.244.0.186 TCP 74 52068 → 16686 [SYN] Seq=0 Win=64860 Len=0 MSS=1410 SACK_PERM TSval=3712964296 TSecr=0 WS=128 2 0.000000130 10.244.0.1 → 10.244.0.186 TCP 74 52066 → 16686 [SYN] Seq=0 Win=64860 Len=0 MSS=1410 SACK_PERM TSval=3712964296 TSecr=0 WS=128 3 0.000023861 10.244.0.186 → 10.244.0.1 TCP 74 16686 → 52066 [SYN, ACK] Seq=0 Ack=1 Win=64308 Len=0 MSS=1410 SACK_PERM TSval=1676448063 TSecr=3712964296 WS=128 4 0.000023911 10.244.0.186 → 10.244.0.1 TCP 74 16686 → 52068 [SYN, ACK] Seq=0 Ack=1 Win=64308 Len=0 MSS=1410 SACK_PERM TSval=1676448063 TSecr=3712964296 WS=128 5 0.000040934 10.244.0.1 → 10.244.0.186 TCP 66 52068 → 16686 [ACK] Seq=1 Ack=1 Win=64896 Len=0 TSval=3712964296 TSecr=1676448063 6 0.000041079 10.244.0.1 → 10.244.0.186 TCP 66 52066 → 16686 [ACK] Seq=1 Ack=1 Win=64896 Len=0 TSval=3712964296 TSecr=1676448063 7 0.000154534 10.244.0.1 → 10.244.0.186 HTTP 171 GET / HTTP/1.1 8 0.000166614 10.244.0.186 → 10.244.0.1 TCP 66 16686 → 52068 [ACK] Seq=1 Ack=106 Win=64256 Len=0 TSval=1676448063 TSecr=3712964296 ``` ### Run Tshark for record traffic for VM OAI-FlexRIC-Free5GC #### Capture packet from Free5gc Command ``` ubuntu@ubuntu:~$ sudo tshark -i ens18 ``` output ``` ubuntu@ubuntu:~$ sudo tshark -i ens18 Running as user "root" and group "root". This could be dangerous. Capturing on 'ens18' 1 0.000000000 192.168.0.235 → 192.168.0.37 TCP 60 62632 → 22 [ACK] Seq=1 Ack=1 Win=508 Len=0 2 0.629177336 192.168.0.37 → 192.168.0.235 SSH 194 Server: Encrypted packet (len=140) 3 0.718392817 192.168.0.235 → 192.168.0.37 TCP 60 62632 → 22 [ACK] Seq=1 Ack=141 Win=507 Len=0 4 1.146539794 192.168.0.37 → 192.168.0.235 SSH 290 Server: Encrypted packet (len=236) 5 1.217582191 192.168.0.235 → 192.168.0.37 TCP 60 62632 → 22 [ACK] Seq=1 Ack=377 Win=513 Len=0 6 1.658516739 192.168.0.37 → 192.168.0.235 SSH 290 Server: Encrypted packet (len=236) 7 1.733695608 192.168.0.235 → 192.168.0.37 TCP 60 62632 → 22 [ACK] Seq=1 Ack=613 Win=512 Len=0 8 1.817590278 Cisco_5f:a7:03 → Spanning-tree-(for-bridges)_00 STP 60 Conf. Root = 32768/1/00:1d:e6:5f:a7:00 Cost = 0 Port = 0x8003 9 2.170534860 192.168.0.37 → 192.168.0.235 SSH 290 Server: Encrypted packet (len=236) 10 2.170720279 192.168.0.37 → 192.168.0.235 SSH 234 Server: Encrypted packet (len=180) 11 2.192650299 192.168.0.235 → 192.168.0.37 TCP 60 62632 → 22 [ACK] Seq=1 Ack=1029 Win=510 Len=0 12 2.194144050 192.168.0.235 → 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1 13 2.682682226 192.168.0.37 → 192.168.0.235 SSH 386 Server: Encrypted packet (len=332) . . . :5f:a7:00 Cost = 0 Port = 0x8003 56 7.785593533 192.168.0.230 → 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1 57 7.901975698 192.168.0.37 → 192.168.0.235 SSH 362 Server: Encrypted packet (len=308) 58 7.902059372 192.168.0.37 → 192.168.0.235 SSH 382 Server: Encrypted packet (len=328) 59 7.910764006 192.168.0.235 → 192.168.0.37 TCP 60 50270 → 22 [ACK] Seq=37 Ack=6741 Win=4100 Len=0 60 8.279064973 192.168.0.37 → 192.168.0.32 SCTP 98 HEARTBEAT 61 8.279382481 192.168.0.32 → 192.168.0.37 SCTP 98 HEARTBEAT_ACK 62 8.344601257 192.168.0.229 → 239.255.255.250 SSDP 210 M-SEARCH * HTTP/1.1 63 8.414065576 192.168.0.37 → 192.168.0.235 SSH 178 Server: Encrypted packet (len=124) 64 8.414167290 192.168.0.37 → 192.168.0.235 SSH 186 Server: Encrypted packet (len=132) 65 8.414260015 192.168.0.37 → 192.168.0.235 SSH 186 Server: Encrypted packet (len=132) ``` ## Conclusion Wireshark and TShark In conclusion, both Wireshark and TShark stand out as robust network protocol analyzers, offering valuable capabilities for capturing, inspecting, and understanding network packets. These tools enable users to identify various headers, such as those from Ethernet, IP, TCP, UDP, and application layers, facilitating detailed analysis for troubleshooting, monitoring, and enhancing network security. Its important to emphasize that Wireshark and TShark operate as passive observers solely designed for the analysis and observation of network traffic. They do not possess the functionality to actively modify or change the headers of network packets in real-time. For scenarios requiring active packet manipulation, applications such as Scapy, Ettercap, or Nemesis can be considered. These tools provide a more hands-on approach to network packet crafting and modification. However, users should exercise caution and ensure the ethical use of such applications as improper use could lead to network disruptions or security vulnerabilities.