tshark.exe
- File Path:
C:\Program Files\Wireshark\tshark.exe - Description: TShark
Hashes
| Type | Hash |
|---|---|
| MD5 | 6B454D9B335B3DCEF044D149F2530414 |
| SHA1 | 405DF9F404A95120883A29F3227DF5E6AB68EE80 |
| SHA256 | 2530BC472F4C73B19C6A2D99C5879C6943279F7C18E37F89F1E58AEC32701625 |
| SHA384 | DCBB0DBD67179BA1F0F183C3851131DADFC46435A9EC63313F77ECD594EAF9AFDAFF4D5D9C8A15993D7C1DDFB1EB9A22 |
| SHA512 | 1B67B69D232656D0B4B5289B17CF3AEDDAAE5BF365DAF7A00D6BFCDD3D5A2E8897A8B32D393BF3E7D9C3DDDD0CEDDF39F30447DF7B88ED4BB951DEE146869F20 |
| SSDEEP | 12288:BrfPDdVGB5eqK+DLFrLf/tapF920CjFP9Jf:BDJVU4qjrLQ8zBzf |
| IMP | 5F0C45A1AB2F3DB2CD9092350CAF8ACB |
| PESHA1 | 4C41EC27730F81D1DEF33F5F61D1816D025C4790 |
| PE256 | 0DEEF85CB52982A51BA6E8DF862646F608435F53080732C1C6D6C0609379BBF6 |
Runtime Data
Usage (stdout):
TShark (Wireshark) 3.2.7 (v3.2.7-0-gfb6522d84a3a)
Dump and analyze network traffic.
See https://www.wireshark.org for more information.
Usage: tshark [options] ...
Capture interface:
-i <interface>, --interface <interface>
name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen>, --snapshot-length <snaplen>
packet snapshot length (def: appropriate maximum)
-p, --no-promiscuous-mode
don't capture in promiscuous mode
-I, --monitor-mode capture in monitor mode, if available
-B <buffer size>, --buffer-size <buffer size>
size of kernel buffer (def: 2MB)
-y <link type>, --linktype <link type>
link layer type (def: first appropriate)
--time-stamp-type <type> timestamp method for interface
-D, --list-interfaces print list of interfaces and exit
-L, --list-data-link-types
print list of link-layer types of iface and exit
--list-time-stamp-types print list of timestamp types for iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ..., --autostop <autostop cond.> ...
duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
packets:NUM - stop after NUM packets
Capture output:
-b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>
duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
packets:NUM - switch to next file after NUM packets
interval:NUM - switch to next file when the time is
an exact multiple of NUM secs
RPCAP options:
-A <user>:<password> use RPCAP password authentication
Input file:
-r <infile>, --read-file <infile>
set the filename to read from (or '-' for stdin)
Processing:
-2 perform a two-pass analysis
-M <packet count> perform session auto reset
-R <read filter>, --read-filter <read filter>
packet Read filter in Wireshark display filter syntax
(requires -2)
-Y <display filter>, --display-filter <display filter>
packet displaY filter in Wireshark display filter
syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mnNtdv"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
-H <hosts file> read a list of entries from a hosts file, which will
then be written to a capture file. (Implies -W n)
--enable-protocol <proto_name>
enable dissection of proto_name
--disable-protocol <proto_name>
disable dissection of proto_name
--enable-heuristic <short_name>
enable dissection of heuristic protocol
--disable-heuristic <short_name>
disable dissection of heuristic protocol
Output:
-w <outfile|-> write packets to a pcapng-format file named "outfile"
(or '-' for stdout)
--capture-comment <comment>
set the capture file comment, if supported
-C <config profile> start with specified configuration profile
-F <output file type> set the output file type, default is pcapng
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-O <protocols> Only show packet details of these protocols, comma
separated
-P, --print print packet summary even when writing to a file
-S <separator> the line separator to print between packets
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?
format of text output (def: text)
-j <protocolfilter> protocols layers filter if -T ek|pdml|json selected
(e.g. "ip ip.flags text", filter does not expand child
nodes, unless child is specified also in the filter)
-J <protocolfilter> top level protocol filter if -T ek|pdml|json selected
(e.g. "http tcp", filter which expands all child nodes)
-e <field> field to print if -Tfields selected (e.g. tcp.port,
_ws.col.Info)
this option can be repeated to print multiple fields
-E<fieldsoption>=<value> set options for output when -Tfields selected:
bom=y|n print a UTF-8 BOM
header=y|n switch headers on and off
separator=/t|/s|<char> select tab, space, printable character as separator
occurrence=f|l|a print first, last or all occurrences of each field
aggregator=,|/s|<char> select comma, space, printable character as
aggregator
quote=d|s|n select double, single, no quotes for values
-t a|ad|adoy|d|dd|e|r|u|ud|udoy
output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-Q only log true errors to stderr (quieter than -q)
-g enable group read access on the output file(s)
-W n Save extra information in the file, if supported.
n = write network address resolution information
-X <key>:<value> eXtension options, see the man page for details
-U tap_name PDUs export mode, see the man page for details
-z <statistics> various statistics, see the man page for details
--export-objects <protocol>,<destdir>
save exported objects for a protocol to a directory
named "destdir"
--color color output text similarly to the Wireshark GUI,
requires a terminal with 24-bit color support
Also supplies color attributes to pdml and psml formats
(Note that attributes are nonstandard)
--no-duplicate-keys If -T json is specified, merge duplicate keys in an object
into a single key with as value a json array containing all
values
--elastic-mapping-filter <protocols> If -G elastic-mapping is specified, put only the
specified protocols within the mapping file
Miscellaneous:
-h, --help display this help and exit
-v, --version display version info and exit
-o <name>:<value> ... override preference setting
-K <keytab> keytab file to use for kerberos decryption
-G [report] dump one of several available reports and exit
default report="fields"
use "-G help" for more help
Usage (stderr):
The NPF driver isn't running. You may have trouble capturing or
listing interfaces.
tshark: Unable to load Npcap or WinPcap (wpcap.dll); you will not be able to
capture packets.
In order to capture packets Npcap or WinPcap must be installed. See
https://nmap.org/npcap/
for a downloadable version of Npcap and for instructions on how to
install it.
Loaded Modules:
| Path |
|---|
| C:\Program Files\Wireshark\tshark.exe |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
02CCD99F7D556C13CE8710C69D09B31A - Thumbprint:
E8EF7325044D018B0C0DCD8CBA4190B155857F3B - Issuer: CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
- Subject: CN=”Wireshark Foundation, Inc.”, O=”Wireshark Foundation, Inc.”, STREET=711 4th street, L=Davis, S=CA, PostalCode=95616, C=US
File Metadata
- Original Filename: TShark.exe
- Product Name: TShark
- Company Name: The Wireshark developer community
- File Version: 3.2.7
- Product Version: 3.2.7
- Language: English (United States)
- Legal Copyright: Copyright 2000 Gerald Combs gerald@wireshark.org, Gilbert Ramirez gram@alumni.rice.edu and others
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/71
- VirusTotal Link: https://www.virustotal.com/gui/file/2530bc472f4c73b19c6a2d99c5879c6943279f7c18e37f89f1e58aec32701625/detection/
Possible Misuse
The following table contains possible examples of tshark.exe being misused. While tshark.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | lnx_network_sniffing.yml | a0: 'tshark' |
DRL 1.0 |
| sigma | proc_creation_macos_network_sniffing.yml | - '/tshark' |
DRL 1.0 |
| sigma | proc_creation_win_network_sniffing.yml | - Image\|endswith: '\tshark.exe' |
DRL 1.0 |
| atomic-red-team | T1040.md | Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1040.md | Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1040.md | tshark -c 5 -i #{interface} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1040.md | ##### Description: Check if at least one of tcpdump or tshark is installed. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1040.md | if [ ! -x “$(command -v tcpdump)” ] && [ ! -x “$(command -v tshark)” ]; then exit 1; else exit 0; fi; | MIT License. © 2018 Red Canary |
| atomic-red-team | T1040.md | (which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1040.md | Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1040.md | Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1040.md | if [ -x “$(command -v tshark)” ]; then sudo tshark -c 5 -i #{interface}; fi; | MIT License. © 2018 Red Canary |
| atomic-red-team | T1040.md | Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark | MIT License. © 2018 Red Canary |
| atomic-red-team | T1040.md | Upon successful execution, tshark will execute and capture 5 packets on interface “Ethernet”. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1040.md | | tshark_path | path to tshark.exe | Path | c:\program files\wireshark\tshark.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1040.md | “c:\Program Files\Wireshark\tshark.exe” -i #{interface} -c 5 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1040.md | ##### Description: tshark must be installed and in the default path of “c:\Program Files\Wireshark\Tshark.exe”. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1048.003.md | tshark -f “udp port 53” -Y “dns.qry.type == 1 and dns.flags.response == 0 and dns.qry.name matches “.domain”” » received_data.txt | MIT License. © 2018 Red Canary |
| signature-base | apt_fin7_backdoor.yar | $a3 = “tshark.exe” fullword ascii | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.