Review: Instant Traffic Analysis with Tshark How-to

“Instant Traffic Analysis with Tshark How-to” is a short book of just about 70 pages, but it’s packed with goodies for everyday use.

The authors skip over the installation process: If you don’t know how to do this, this book is not for you :)

First and foremost they show how to capture packets without having to be root - instead they’re assigning two required capabilities to a low-privilege user, thus making exploits in the various dissectors and protocol analyzers within tshark much harder. Different levels of filtering (capture filters, running within the kernel, simple - but fast) and display or read filters (running in user space, very powerful - and relatively slow) are explained in-depth. Finally, different methods of actually capturing traffic are explained with their respective pros and cons: bridge mode, on a firewall, by mirroring a port on a switch, remote capturing using rpcapd and finally ARP spoofing using ettercap. The authors go on describing how to get a high-level overview of the communication relations within the network (find heavy talkers), and drill down from there.

A collection of useful filters is being presented (finding traffic to malicious domains, using passive dns, using the “matches” operator to find NOP slides). Modifying the tshark output for use in other programs makes it easy to use tshark output from within e.g. a shell script. The final example in that section shows how to detect a cross site scripting injection.

The second half of the book starts with the topic of advanced protocol decoding (protocols on uncommon ports) as well as decoding SSL traffic. “Auditing network attacks”, like ARP and DHCP spoofing are next, a DNS amplification attack is being explained as well as an attack using VRRP. Another chapter covers detecting an ICMP tunnel, yet another “Analyzing malware traffic”.

This is a wonderful book, with many real life examples and anecdotes -- and lots of references to other useful tools! It shows what tshark is capable of and gives you ideas how to unleash the raw power for the benefit of your network.

Ultimatively this book made me want to look at, which is referenced several times.

You might want to buy this book if you’re firing up tcpdump or tshark every now and then - get it at

Ralf Hildebrandt, 12 Jun 2013