Question

Use Tshark for the following question: Capture traffic on the network interface "eth0," filter out all traffics to/from port 22 or port 10 except port 11 or port 13, and store the results in the file "quiz1.pcap."

Answer 1

Installation of Tshark

To install the latest version on Ubuntu 16.04 or 17.04 use the following commands to add the package repository.

• sudo add-apt-repository ppa:dreibh/ppa

• sudo apt-get update && sudo apt-get install wireshark tshark

To capture packets using Tshark, you could do it in two steps

1. capture general traffic of interest using tshark or even dumpcap

• tshark -i eth0 -f "(tcp[0:2] >= 10 and tcp[0:2] < 11) or (tcp[2:2] > 13 and tcp[2:2] <= 22) or (port 12)" -a filesize:100 -n -w quiz1.pcap

it captures all the TCP packets of eth0 interface between the range of ports 10 - 11 and 14 - 22 and lastly stores that result to a file quiz1.pcap.

2. Once Tshark terminates, have Tshark read the exact packets of interest from the capture file and process the packets as you'd like

• tshark -r quiz1.pcap -Y "ipp contains 02:00:00" -T pdml > output.xml

Results are shown in the following screenshots. In this result i have used wlp3s0f0 interface and captured packets on some different ports