Counting Connections With tshark


In a previous blog entry, I discussed how to use tshark to identify which internal systems are sending the greatest amount of data to the Internet. While tshark’s conversation statistics can provide a lot of useful information, they are limited. For example, what if I want to identify the number of times a source IP connected to a destination IP? This info is not available with the conversations switch. In this blog entry, I’ll talk about how to count connections using tshark’s “field” switch.


Quick Review of tshark’s “field” Switch

I’ve discussed tshark’s field switch in previous blog entries. To summarize, the field switch lets you override which data tshark displays. By combining it with the “-e” switch, I can specify the exact fields I want to see using display filters. So if I’m only interested in seeing source IP and port as well as the destination IP and port, I could use the command:

tshark -r example.pcap -T fields -e ip.src tcp.srcport -e ip.src -e tcp.dstport tcp


Why Count Connections?

A large number of connections between an internal host and a system on the Internet is an indication of persistence. While persistence is not inherently evil, it does beg the question “Why is that host constantly talking to the same target on the Internet?” It could just be checking for patches or checking the time, or it could be a covert channel leaking data to an adversary.


Filtering on The Right Traffic

Let’s say we want to count the number of TCP connections originating from an internal host, to the same target out on the Internet. We will need to create a number of filters to ensure we are working with the correct data. To start, we will want to count only one TCP packet per session. This can be accomplished by creating a filter that only looks for packets with the TCP SYN flag turned on, and all other TCP flags turned off. We tshark, we would use the following syntax:


The SYN flag is the second low-order bit with a decimal equivalent of 2. So this filter will check all the TCP flags and ignore any packet that does not have SYN turned on by itself.

Next, we will want to filter out all connection requests that do not originate from the internal network. Since internal systems will most likely use private IP addresses, and systems on the Internet will use public addresses, this filter should be relatively straightforward to create:

ip.src== or ip.src== or ip.src==

We want to be sure that we use a logical “OR” between each statement. A logical “AND” could obviously never be true, as the same source IP address could not exist in all three ranges. With this in mind, our tshark command would look something like this:

tshark -n -r example.pcap -T fields -e ip.src -e ip.dst tcp.flags==2 and ip.src== or ip.src== or ip.src==


Cleaning Up The Output

The above command will simply print out all of the packets that match the specified pattern. We now need to add up the number of times our internal systems connect to each external address. We then may want to sort the data from highest to lowest for easy review. This can be accomplished by sending our output to sort/uniq/sort:

tshark -n -r example.pcap -T fields -e ip.src -e ip.dst tcp.flags==2 and ip.src== or ip.src== or ip.src== | sort | uniq -c | sort -rn | head

The first sort command organizes the data so that connections between the same IP pair are listed together, one line after the other. The uniq command then adds up the number of instances of each IP pair. The final sort command organizes the data so that the greatest number of connections gets listed first.


Some Sample Output

Here’s an example of the above command run against some actual data:

$ tshark -n -r thunt.pcap -T fields -e ip.src -e ip.dst tcp.flags==2 and ip.src== or ip.src== or ip.src== | sort | uniq -c | sort -rn | head


The first column identifies how many times the listed source IP address connected to the listed destination IP address within the pcap file being reviewed. If you look at line two, we see a conversation between two internal IP addresses. Those can safely be ignored. Note that the first listed IP pair has connected a substantially greater number of times than all of the other IP pairs. This would make this first entry worthy of further investigation.




Interested in threat hunting tools? Check out AC-Hunter

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!

Share this:
AC-Hunter Datasheet
AC-Hunter Personal Demo
What We’re up To