Tshark Analysis

What is Tshark?

Tshark.exe is the command-line version of Wireshark, a popular network protocol analyzer. It is used to capture and analyze network traffic directly from the terminal or command prompt. Tshark allows users to apply filters, extract specific fields, and generate detailed reports about captured network data. In this example, Tshark is employed to analyze HTTP and HTTPS traffic, focusing on attributes such as source and destination IP addresses, ports, HTTP headers, and TLS handshake information.

Python API

Here are the APIs I used for testing purposes. You can find more details and test them by visiting the link below.

Basic Authentication Traffic Analysis

In this section, the focus is on analyzing HTTP traffic with Basic Authentication. The provided Tshark command extracts details about authentication headers, including user credentials encoded in Base64. This analysis helps identify potential vulnerabilities in transmitting credentials over unencrypted channels.

"C:\Program Files\Wireshark\tshark.exe" -i "Ethernet 3" -Y "http.authbasic" -T fields -e tcp.port -e ip.src -e ip.dst -e http.host -e http.request.uri -e http.request.method -e http.authorization -e http.user_agent -e http.referer -e http.cookie -e tls.handshake.type -e tls.handshake.version -e tls.record.version

Capturing on 'Ethernet 3'
50518,80        192.168.56.1    192.168.56.101  192.168.56.101:80       /users  POST    Basic YWRtaW46cGFzc3dvcmQ=      PostmanRuntime/7.43.0
50522,80        192.168.56.1    192.168.56.101  192.168.56.101:80       /users  GET     Basic YWRtaW46cGFzc3dvcmQ=      PostmanRuntime/7.43.0
2 packets captured

Attribute Legend:

• -i: Interface to capture traffic on (e.g., Ethernet 3).
• -Y: Display filter to apply during capture.
• -T: Output format type (fields in this case).
• -e: Specifies fields to extract.
• tcp.port: The TCP port used in the communication.
• ip.src: Source IP address of the packet.
• ip.dst: Destination IP address of the packet.
• http.host: Host header in the HTTP request.
• http.request.uri: The URI of the HTTP request.
• http.request.method: HTTP request method (e.g., GET, POST).
• http.authorization: Authorization header in the HTTP request.
• http.user_agent: User-Agent string from the HTTP request.
• http.referer: Referer header in the HTTP request.
• http.cookie: Cookie data in the HTTP request.
• tls.handshake.type: Type of TLS handshake message.
• tls.handshake.version: Version of the TLS handshake protocol.
• tls.record.version: Version of the TLS record protocol.

Conclusions:

Basic Authentication transmits credentials in a format that can be easily decoded. Without encryption (e.g., HTTPS), this method poses significant security risks. Always use secure transport protocols to protect sensitive information.

HTTPS Traffic Analysis

HTTPS analysis focuses on capturing and inspecting traffic over encrypted channels. The TLS handshake and other attributes are reviewed to verify secure communication between client and server.

"C:\Program Files\Wireshark\tshark.exe" -i "Ethernet 3" -Y "tcp.port == 443" -T fields -e ip.src -e ip.dst -e tcp.port -e http.host -e http.request.uri -e http.request.method -e http.user_agent -e http.referer -e http.cookie -e tls.handshake.type -e tls.handshake.version -e tls.record.version

Capturing on 'Ethernet 3'
192.168.56.1    192.168.56.101  50546,443
192.168.56.101  192.168.56.1    443,50546
192.168.56.1    192.168.56.101  50546,443
192.168.56.1    192.168.56.101  50546,443                                                       1       0x0303  0x0301
192.168.56.101  192.168.56.1    443,50546
192.168.56.101  192.168.56.1    443,50546                                                       2       0x0303  0x0303,0x0303,0x0303,0x0303
192.168.56.1    192.168.56.101  50546,443                                                                       0x0303,0x0303,0x0303
192.168.56.101  192.168.56.1    443,50546                                                                       0x0303
192.168.56.1    192.168.56.101  50546,443
192.168.56.101  192.168.56.1    443,50546                                                                       0x0303,0x0303
192.168.56.1    192.168.56.101  50546,443                                                                       0x0303
192.168.56.1    192.168.56.101  50546,443
192.168.56.101  192.168.56.1    443,50546
192.168.56.1    192.168.56.101  50546,443
192.168.56.101  192.168.56.1    443,50546
15 packets captured

Attribute Legend:

• -i: Interface to capture traffic on (e.g., Ethernet 3).
• -Y: Display filter to apply during capture.
• -T: Output format type (fields in this case).
• -e: Specifies fields to extract.
• ip.src: Source IP address of the packet.
• ip.dst: Destination IP address of the packet.
• tcp.port: The TCP port used in the communication.
• http.host: Host header in the HTTP request.
• http.request.uri: The URI of the HTTP request.
• http.request.method: HTTP request method (e.g., GET, POST).
• http.user_agent: User-Agent string from the HTTP request.
• http.referer: Referer header in the HTTP request.
• http.cookie: Cookie data in the HTTP request.
• tls.handshake.type: Type of TLS handshake message.
• tls.handshake.version: Version of the TLS handshake protocol.
• tls.record.version: Version of the TLS record protocol.

Conclusions:

HTTPS ensures secure communication by encrypting data transmitted between the client and the server. Analysis of HTTPS traffic includes:

• Verification of encryption:
  • Encrypted data is inaccessible to potential attackers.
  • The TLS (Transport Layer Security) protocol ensures confidentiality and integrity.
• Review of the connection establishment process (TLS handshake):
  • Encryption keys are established for use during the session.
  • SSL/TLS certificates are exchanged to verify the server's identity.
• Inspection of HTTPS traffic details (using tools like Tshark):
  • Recording information about source and destination IP addresses, TCP ports, HTTP headers, and User-Agent.