For The Love of Network Protocols and The Command Line

If there’s one thing that a Cybersecurity student should learn, it’s network protocols … IP, TCP, HTTP, SMTP, Telnet, DNS, and so on. The…

For The Love of Network Protocols and The Command Line

If there’s one thing that a Cybersecurity student should learn, it’s network protocols … IP, TCP, HTTP, SMTP, Telnet, DNS, and so on. The ability to understand the key elements of a network connection must be at the core of their education. In many cases, we thus want to be able to detect something coming in or leaving our network, and possibly log or block it. We also need to search for things. For this, we often are trying to find the needle in the haystack, and then determine timelines of activity.

It is to Wireshark that many people will turn to for the detail of a connection, but the captured files may be Gigabytes in size, so there’s often a better solution: Tshark. With Tshark we can simply load up a PCAP file at any time, and then run the search parameters that we would use within the GUI.

So, let’s say we would like to search for a MAC address that contains “89:50:4E:47” in the traffic [here]:

C:\>"c:\Program Files\Wireshark"\tshark  -Y "http contains "89:50:4E:47"" -r with_png.pcap

Or we might be searching for all the PNG files in a tracek:

c:\program files\wireshark\tshark.exe  -Y "http contains "89:50:4E:47"" -r with_png.pcap

  109  19.292671 176.255.203.40 → 192.168.47.171 HTTP 312 HTTP/1.1 200 OK  (PNG)

Or, finding a credit card sent in an email message:

c:\program files\wireshark\tshark.exe  -Y "smtp matches ""4\\d{3}(\\s|-)?\\d{4}(\\s|-)?\\d{4}(\\s|-)?\\d{4}""" -r email_cc2.pcap

   15   0.006826 192.168.47.171 → 192.168.47.134 SMTP 1514 C: DATA fragment, 1460 bytes

Or, which identities a bad login with FTP (the code returned is a 530 response code):

c:\program files\wireshark\tshark.exe  -Y "ftp contains \"530 User\"" -r hydra_ftp.pcap

  108   0.249901 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User test cannot log in.
  109   0.253149 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User test cannot log in.
  110   0.254313 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User admin cannot log in.
  111   0.262104 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User admin cannot log in.
  112   0.263001 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User admin cannot log in.
  113   0.263725 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User test cannot log in.
  114   0.264400 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User test1 cannot log in.
  115   0.265129 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User admin cannot log in.
  148   0.370754 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User test cannot log in.
  149   0.376095 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User test cannot log in.
  150   0.376929 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User test1 cannot log in.
  151   0.377657 192.168.75.132 → 192.168.75.1 FTP 96 Response: 530 User test cannot log in.
  152   0.378313 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User admin cannot log in.
  153   0.379611 192.168.75.132 → 192.168.75.1 FTP 97 Response: 530 User admin cannot log in.

So, I’ve created a little Wireshark analyser to illustrate the methods:

  • PNG Filter: http contains “\x89\x50\x4E\x47”. Trace with a PNG and PNG filter: Test. Pcap
  • PDF Filter: http contains “%PDF”. Trace with a PDF and PDF filter: Test. Pcap
  • GIF Filter: http contains “GIF89a”. Trace with a GIF and GIF filter: Test. Pcap
  • ZIP Filter: http contains “\x50\x4B\x03\x04”. Trace with a ZIP and ZIP filter: Test. Pcap
  • JPEG Filter: http contains “\xff\xd8”. Trace with a JPEG and JPEG filter: Test. Pcap
  • MP3 Filter: http contains “\x49\x44\x33”. Trace with an MP3 and MP3 filter: Test. Pcap
  • RAR Filter: http contains “\x52\x61\x72\x21\x1A\x07\x00”. Trace with a RAR and RAR filter: Test. Pcap
  • AVI Filter: http contains “\x52\x49\x46\x46”. Trace with a AVI and AVI filter: Test. Pcap
  • SWF Filter: http contains “\x46\x57\x53”. Trace with a SWF and SWF filter: Test. Pcap
  • GZip Filter: http contains “\x1F\x8B\x08”. Trace with a GZIP and GZIP filter: Test. Pcap
  • Email address Filter: smtp matches “”[a-zA-Z0–9._%+-]+@[a-zA-Z0–9._%+-]””. Trace with an email and Email regex filter: Test. Pcap
  • IP address Filter: http matches “”[0–9]{1,3}\.[0–9]{1,3}\.[0–9]{1,3}.[0–9]{1,3}””. Trace with HTTP traffic and IP address regex filter: Test. Pcap
  • Credit card details (Mastercard) Filter: smtp matches “”5\\d{3}(\\s|-)?\\d{4}(\\s|-)?\\d{4}(\\s|-)?\\d{4}””. Trace with an email and Mastercard regex filter: Test. Pcap
  • Credit card details (Visa) Filter: smtp matches “”4\\d{3}(\\s|-)?\\d{4}(\\s|-)?\\d{4}(\\s|-)?\\d{4}””. Trace with an email and Visa filter regex filter: Test. Pcap
  • Credit card details (Am Ex) Filter: smtp matches “”3\\d{3}(\\s|-)?\\d{6}(\\s|-)?\\d{5}””. Trace with an email and Am Ex regex filter: Test. Pcap
  • Domain name Filter: http matches “”[a-zA-Z0–9\-\.]+\.(com|org|net|mil|edu|COM|ORG|NET|MIL|EDU|UK)””. Trace with an email and Email regex filter: Test. Pcap
  • FTP User/Password Crack Filter: ftp contains \”530 User\”. Trace with FTP Hydra and 530 filter: Test. Pcap
  • FTP Login Filter: tcp.port==21 && tcp.flags.syn==1 && tcp.flags.ack==1. Trace with FTP Hydra and SYN/Port 21 filter: Test. Pcap
  • Telnet Login Filter: tcp.port==23 && tcp.flags.syn==0 && tcp.flags.ack==0. Trace with Telnet Hydra and SYN/Port 23 filter: Test. Pcap
  • Telnet Login Filter: telnet contains “login”: Test. Pcap
  • Telnet Login Filter: telnet contains “Failed”: Test. Pcap