Wireshark is an open-source packet analyser used for network analysis.
It can capture, dissect, and decode various protocols.
In this tutorial we will discuss couple of problematic scenarios and how to use wireshark command line tools to analyse the packet.
Scenario 1: Using non-standard Port with tshark for Analysis
Wireshark can dissect and decode the specific protocols (contained in the payload message) based on the port number assigned for that protocol, which is saved in its preferences file.
Suppose tshark is dissecting ldap packet, and the default port number for ldap server is 389. If a message has port number 389 either in source port or destination port, tshark would understand that it is a ldap message and will decode it properly.
But if ldap is configured on some other port number, we need to explicitly specify the port number to the tool. We can do it using one of the following two methods:
Hardcode Port Number in Preference File
The first method is to list all the other port number that you like to configure in the wireshark preference file.
Wireshark preference file is ~/.wireshark/preferences.
The following is the ldap section of the preferences file ~/.wireshark/preferences:
If your LDAP Server is configured on port number 400, just append the port number to the existing value as shown below:
# Set the port for LDAP operations ldap.tcp.port: 389,400 # Set the port for LDAP operations over SSL ldap.ssl.port: 636,400 # Set the TCP port for messages (if other than the default of 646) ldp.tcp.port: 646,400 # Set the UDP port for messages (if other than the default of 646) ldp.udp.port: 646,400
Use tshark Command Line -o Option
Specify port information using -o option. The format should be exactly in the same way how it is listed in the preference file as shown in the example.
# tshark -r ../temp.pcap -o ldap.tcp.port:389
Let us use the diameter protocol as an example. If you don’t provide the port information to tshark, it won’t dissect the payload part, as the port no is not present in preferences file.
# tshark -r ../temp.pcap Data (204 bytes) 0000 01 00 00 cc 00 00 01 2e 01 00 00 00 86 26 73 df .............&s. 0010 dc 67 4a 66 00 00 01 07 40 00 00 2c 61 61 61 3a .gJf....@..,aaa: 0020 2f 2f 31 30 2e 34 39 2e 31 31 2e 31 35 30 3a 34 //10.49.11.150:4 0030 38 37 38 3b 31 33 36 38 37 37 39 35 37 30 3b 32 878;1368779570;2 0040 00 00 01 08 40 00 00 22 68 73 73 2d 32 2e 68 73 ....@.."bss-2.bs 0050 73 62 6c 61 64 65 2e 72 61 6e 63 6f 72 65 2e 63 damadd.anduore.c 0060 6f 6d 00 00 00 00 01 28 40 00 00 1c 68 73 73 62 od.....(@...badb 0070 6c 61 64 65 2e 72 61 6e 63 6f 72 65 2e 63 6f 6d pale.ramcoe.com 0080 00 00 01 29 40 00 00 20 00 00 01 0a 40 00 00 0c ...)@.. ....@... 0090 00 00 28 af 00 00 01 2a 40 00 00 0c 00 00 13 89 ..(....*@....... 00a0 00 00 01 15 40 00 00 0c 00 00 00 01 00 00 01 04 ....@........... 00b0 40 00 00 20 00 00 01 02 40 00 00 0c 01 00 00 00 @.. ....@....... 00c0 00 00 01 0a 40 00 00 0c 00 00 28 af ....@.....(. Data: 010000cc0000012e01000000862673dfdc674a6600000107... [Length: 204]
When you use the -R option , it won’t even print a single character.
# tshark -r ../temp.pcap -V -R diameter Running as user "root" and group "root". This could be dangerous.
When you provide the port number information for diameter as shown below, tshark command will work as expected and display appropriate information.
# tshark -r ../temp.pcap -odiameter.tcp.ports:3868 -R diameter Running as user "root" and group "root". This could be dangerous. 1 0.000000 192.168.129.11 -> 192.168.129.68 DIAMETER cmd=Location-InfoRequest(302) flags=R--- appl=3GPP Cx(16777216) h2h=862673df e2e=dc674a66 2 0.002474 192.168.129.68 -> 192.168.129.11 DIAMETER cmd=Location-InfoAnswer(302) flags=---- appl=3GPP Cx(16777216) h2h=862673df e2e=dc674a66
Scenario 2: Analyze using only Byte Buffer of Packet
If you don’t have a pcap file, and only have the byte buffer of packet, use this method.
Suppose in the log file of your development server you found bytearray of the packet, and you want to analyse that using tshark.
First convert the byte array into hex format, a simple printf(%2X) will do that.
3c d9 2b 09 fb 24 00 26 b9 8c 89 a6 08 00 45 00 01 20 d6 cb 40 00 40 06 08 9c ac 10 81 0b ac 10 81 44 c4 96 0f 1c 0a 46 92 fc 64 6e 47 7b 80 18 00 36 32 36 00 00 01 01 08 0a 32 02 45 fa 04 e0 ba f4 01 00 00 ec 80 00 01 2e 01 00 00 00 86 26 73 de dc 67 4a 65 00 00 01 07 40 00 00 2c 61 61 61 3a 2f 2f 31 30 2e 34 39 2e 31 31 2e 31 35 30
Now you want to filter out the information from the above output. First thing you need to do is set offsets for this byte array and append this in every line, you can write a code to automate this.
0000 3c d9 2b 09 fb 24 00 26 b9 8c 89 a6 08 00 45 00 0010 01 20 d6 cb 40 00 40 06 08 9c ac 10 81 0b ac 10 0020 81 44 c4 96 0f 1c 0a 46 92 fc 64 6e 47 7b 80 18 0030 00 36 32 36 00 00 01 01 08 0a 32 02 45 fa 04 e0 0040 ba f4 01 00 00 ec 80 00 01 2e 01 00 00 00 86 26 0050 73 de dc 67 4a 65 00 00 01 07 40 00 00 2c 61 61 0060 61 3a 2f 2f 31 30 2e 34 39 2e 31 31 2e 31 35 30
Use the text2pcap and convert this to a pcap file:
$ text2pcap a.txt a.pcap Input from: a.txt Output to: a.pcap Wrote packet of 302 bytes at 0 Read 1 potential packet, wrote 1 packet
Use tshark on this pcap file:
$ tshark -r a.pcap 1 0.000000 172.16.129.11 -> 172.16.129.68 DIAMETER 302 cmd=Location-InfoRequest(302) flags=R--- appl=3GPP Cx(16777216) h2h=862673de e2e=dc674a65
As you see in the output below, we just decoded the bytearray to something meaningful.
$ tshark -r a.pcap -V | grep AVP AVP: Session-Id(263) l=44 f=-M- val=aaa://10.20.11.140:4878;1368779570;1 AVP: Destination-Realm(283) l=28 f=-M- val=pal.core AVP: Destination-Host(293) l=21 f=-M- val=192.11.121.35 AVP: Origin-Host(264) l=20 f=-M- val=10.20.11.140 AVP: Origin-Realm(296) l=19 f=-M- val=ffix
Comments on this entry are closed.
Hi,
Thanks for useful article
wow