TShark Display Filter Examples
When reviewing packet captures, TShark prints out a pretty useful summary. However, sometimes there are specific fields you want to review that TShark does not print out by default. While you can use the “-V” option for verbose output, this is usually way more information than you want to see. Sometimes you only want to see specific field values. In this blog post, I’ll talk about TShark’s display filters and how they can be used to extract only the info you want to see.
A Simple Display Filter Example
The syntax for using display filters is pretty straight forward. The “-T fields” switch is used to tell TShark that you only want to print specified fields. You then use the “-e” switch to specify each of the fields you wish to print. As an example, imagine I wanted to print out:
- Source IP address
- Destination IP address
- Transport protocol
for each packet in a PCAP file. The command I would use would be:
tshark -r sample.pcap -T fields -e ip.src -e ip.dst -e ip.proto | head -5 10.0.0.204 188.8.131.52 6 184.108.40.206 10.0.0.204 6 10.0.0.204 220.127.116.11 6 10.0.0.204 18.104.22.168 6 22.214.171.124 10.0.0.204 6
The “head -5” command at the end is simply limiting the output to just five lines.
Printing Column Titles
Let’s imagine I’m going to share the above output with a colleague and I want to add column titles to the output. I can use the “-E” switch to tell TShark to print out the display filter name at the top of each column.
tshark -r sample.pcap -E header=y -T fields -e ip.src -e ip.dst -e ip.proto | head -5 ip.src ip.dst ip.proto 10.0.0.204 126.96.36.199 6 188.8.131.52 10.0.0.204 6 10.0.0.204 184.108.40.206 6 10.0.0.204 220.127.116.11 6
Note that the column titles do not align perfectly with the data. This is because the spacing does not match. I can clean this up by piping my output through the “less” command instead of “head.” I would then use the “-x” switch to allocate a specific number of characters to each column. If the amount of data line wraps, I can add in the “-S” switch to print past the right side of the screen and use the arrow keys to navigate the data. Our command would now look something like this:
tshark -r sample -E header=y -T fields -e ip.src -e ip.dst -e ip.proto | less -S -x20 ip.src ip.dst ip.proto 10.0.0.204 18.104.22.168 6 22.214.171.124 10.0.0.204 6 10.0.0.204 126.96.36.199 6 10.0.0.204 188.8.131.52 6 184.108.40.206 10.0.0.204 6
As mentioned, you can use the arrow keys to navigate up, down, or even left and right if the data goes off the side of the screen. The page up and down keys can be used as well. You can press the letter “q” to exit this display and return to the command line.
Finding the Right Display Filter
There are over 22,000 display filters supported by TShark at the time of this writing. This can make finding the right display filter a bit challenging. Luckily, TShark includes a list of display filters that can be printed out with the “-G” switch:
tshark -G | less -S -x40 P Short Frame _ws.short P Malformed Packet _ws.malformed P Unreassembled Fragmented Packet _ws.unreassembled F Dissector bug ws.malformed.disector_bug F Reassembly error _ws.malformed.reassembly
(Please note that I’ve adjusted the spacing in this blog so that it fits within the allowable space)
The first column will be a “P” for protocol or an “F” to identify the entry as a field. The second column is a brief description, and the third column is the actual display filter. You can search the “less” command output for specific strings by hitting the “/” key. This will change the prompt in the lower left from “:” to “/”. You can then type in the string you wish to search for followed by the enter key. Subsequently pressing “/” will continue to search though the output pausing at each match found in the output.
Using grep to Search for Display Filters
Searching through the less output can still be pretty cumbersome. A better technique is to use grep to search for the pattern you are interested in. For example, let’s say I wanted to print out:
- Source IP address
- Destination IP address
- IP Identification
The source and destination IP are pretty easy to remember as we’ll use those frequently. Let’s say we need to figure out what the display filter will be for the IP identification field. We know it’s in the IP header, so let’s start there. We only want to see fields associated with the IP header, so we would pipe the output through the following grep command:
The string “ip” is short and would probably match on things we don’t care to see. So, we want to be as specific as possible to avoid a lot of noise. The “\s” at the beginning of the string tells grep that “ip” should have some sort of white space in front of it (tab or a space character). The “\.” at the end tells grep “ip” should be followed by a period. If we didn’t use the backslash prior to the period, grep would interpret the period as a wild card value. So our command would look something like this:
tshark -G | grep '\sip\.' | less -S -x40
About 15 lines into the output, we would see:
F Identification ip.id
So the TShark command I would use would be:
tshark -r sample.pcap -T fields -e ip.src -e ip.dst -e ip.id | head -5 10.0.0.204 220.127.116.11 0x1b7b 18.104.22.168 10.0.0.204 0x0000 10.0.0.204 22.214.171.124 0x1b7c 10.0.0.204 126.96.36.199 0x1b7d 188.8.131.52 10.0.0.204 0x48e3
More on Finding Display Filters
We can build on that previous grep command to be even more specific when searching for display fields. For example, imagine I wanted to work with TCP flag values. I know those would be under the TCP header, and probably under the flags subcategory. In this case, I would use something like:
tshark -G | grep '\stcp\.flag' | less -S -x40 F Flags tcp.flags F Reserved tcp.flags.res F Nonce tcp.flags.ns F Congestion Window Reduced (CWR) tcp.flags.cwr F ECN-Echo tcp.flags.ecn F Urgent tcp.flags.urg F Acknowledgment tcp.flags.ack
Filtering TShark Output With Display Filters
This may seem a bit meta, but along with using display filters to identify the fields we wish to see, we can also use display filters to filter the packets that get displayed. Let’s look at an example. Imagine I want to print out:
- Source IP address
- Destination IP address
- Destination TCP port
Let’s further assume we only want to see the first packet in the session, where the SYN flag is turned on but all other flags are turned off. The SYN flag has a decimal equivalent of two with the TCP flags field, so our command would look something like this:
tshark -r sample.pcap -T fields -e ip.src -e ip.dst -e tcp.dstport tcp.flags==2 | head -6 10.55.182.100 10.233.233.5 80 10.55.182.100 10.233.233.5 80 10.55.182.100 10.233.233.5 80 10.55.100.111 184.108.40.206 443 10.55.100.111 220.127.116.11 443 10.55.100.111 18.104.22.168 443
Manipulating the Data Output
One of the benefits of using display filters is that it permits us to easily manipulate the data. For example, imagine we wanted to count up the number of TCP connections that were initiated within a pcap file, as well as the IP addresses involved in the connection. We would simply build on our last example and use sort and uniq to tally the data.
tshark -r sample.pcap -T fields -e ip.src -e ip.dst -e tcp.dstport tcp.flags==2 | sort | uniq -c | sort -rn | head 20055 10.55.100.111 22.214.171.124 443 6285 10.55.182.100 10.233.233.5 80 540 10.55.100.111 126.96.36.199 443 296 10.55.100.108 188.8.131.52 443 290 10.55.100.111 184.108.40.206 443
The TShark command is the same as what we used in the previous section. The first “sort” command then reorganizes the data so that when the source IP, destination IP, and port number are the same, those lines are all collected together. The “uniq -c” counts the number of lines that match, and then reduces the output to a single line. It also adds a new column to the front of the line and prints the number of occurrences. Finally, the “sort -rn” command sorts the final output such that the most frequent connection pairs get printed first. The final output shows us which source IP address is connecting to which destination IP address the most frequently.
TShark display filters are a powerful tool that can help you run down strange network patterns. Feel free to take the examples above and build on them to best fit your environment.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.