Counting Connections With tshark

Intro

In a previous blog entry, I discussed how to use tshark to identify which internal systems are sending the greatest amount of data to the Internet. While tshark’s conversation statistics can provide a lot of useful information, they are limited. For example, what if I want to identify the number of times a source IP connected to a destination IP? This info is not available with the conversations switch. In this blog entry, I’ll talk about how to count connections using tshark’s “field” switch.

 

Quick Review of tshark’s “field” Switch

I’ve discussed tshark’s field switch in previous blog entries. To summarize, the field switch lets you override which data tshark displays. By combining it with the “-e” switch, I can specify the exact fields I want to see using display filters. So if I’m only interested in seeing source IP and port as well as the destination IP and port, I could use the command:

tshark -r example.pcap -T fields -e ip.src tcp.srcport -e ip.src -e tcp.dstport tcp

 

Why Count Connections?

A large number of connections between an internal host and a system on the Internet is an indication of persistence. While persistence is not inherently evil, it does beg the question “Why is that host constantly talking to the same target on the Internet?” It could just be checking for patches or checking the time, or it could be a covert channel leaking data to an adversary.

 

Filtering on The Right Traffic

Let’s say we want to count the number of TCP connections originating from an internal host, to the same target out on the Internet. We will need to create a number of filters to ensure we are working with the correct data. To start, we will want to count only one TCP packet per session. This can be accomplished by creating a filter that only looks for packets with the TCP SYN flag turned on, and all other TCP flags turned off. We tshark, we would use the following syntax:

tcp.flags==2

The SYN flag is the second low-order bit with a decimal equivalent of 2. So this filter will check all the TCP flags and ignore any packet that does not have SYN turned on by itself.

Next, we will want to filter out all connection requests that do not originate from the internal network. Since internal systems will most likely use private IP addresses, and systems on the Internet will use public addresses, this filter should be relatively straightforward to create:

ip.src==192.168.0.0/16 or ip.src==10.0.0.0/8 or ip.src==172.16.0.0/12

We want to be sure that we use a logical “OR” between each statement. A logical “AND” could obviously never be true, as the same source IP address could not exist in all three ranges. With this in mind, our tshark command would look something like this:

tshark -n -r example.pcap -T fields -e ip.src -e ip.dst tcp.flags==2 and ip.src==192.168.0.0/16 or ip.src==10.0.0.0/8 or ip.src==172.16.0.0/12

 

Cleaning Up The Output

The above command will simply print out all of the packets that match the specified pattern. We now need to add up the number of times our internal systems connect to each external address. We then may want to sort the data from highest to lowest for easy review. This can be accomplished by sending our output to sort/uniq/sort:

tshark -n -r example.pcap -T fields -e ip.src -e ip.dst tcp.flags==2 and ip.src==192.168.0.0/16 or ip.src==10.0.0.0/8 or ip.src==172.16.0.0/12 | sort | uniq -c | sort -rn | head

The first sort command organizes the data so that connections between the same IP pair are listed together, one line after the other. The uniq command then adds up the number of instances of each IP pair. The final sort command organizes the data so that the greatest number of connections gets listed first.

 

Some Sample Output

Here’s an example of the above command run against some actual data:

$ tshark -n -r thunt.pcap -T fields -e ip.src -e ip.dst tcp.flags==2 and ip.src==192.168.0.0/16 or ip.src==10.0.0.0/8 or ip.src==172.16.0.0/12 | sort | uniq -c | sort -rn | head

20055 10.55.100.111 165.227.216.194
 6285 10.55.182.100 10.233.233.5
  543 10.55.100.111 172.217.8.198
  301 10.55.100.108 172.217.8.206
  290 10.55.100.111 157.240.2.35
  290 10.55.100.100 172.217.8.206
  285 10.55.100.104 172.217.8.206
  273 10.55.100.105 172.217.8.206
  271 10.55.100.109 172.217.8.206
  269 10.55.100.111 172.217.8.196

The first column identifies how many times the listed source IP address connected to the listed destination IP address within the pcap file being reviewed. If you look at line two, we see a conversation between two internal IP addresses. Those can safely be ignored. Note that the first listed IP pair has connected a substantially greater number of times than all of the other IP pairs. This would make this first entry worthy of further investigation.