Rowbot's PenTest Notes
Rowbot's PenTest Notes
www.OffSecNewbie.com
Intro
Pre-engagement
General methodology
OSCP Templates
Recon
Attack Types
Network
Shells
Port Forwarding / SSH Tunneling
Transferring files
Web
SQL
Password cracking
Useful Linux Commands
Android
Buffer Overflow
TCP Dump and Wireshark Commands
Cloud Pentesting
Privilege Escalation
Linux
Windows
Kali Configuration
My bash Profile Files
Terminator Configuration
Tmux Configuration
Fish Config
Useful things to Install
VSCode Configuration
Automated
Tools
Videos
My Youtube Channel
IppSec Videos
The Cyber Mentor
VMs Similar to OSCP
Machines Similar to OSCP
Search Ippsec's Videos
Search Ippsec's Videos
Pcap Analysis
Pcap analysis
RegEx
MSFvenom Cheetsheet
Support me
Donate
Powered by GitBook

TCP Dump and Wireshark Commands

https://www.rationallyparanoid.com/articles/tcpdump.html
In most cases you will need root permission to be able to capture packets on an interface. Using tcpdump (with root) to capture the packets and saving them to a file to analyze with Wireshark (using a regular account) is recommended over using Wireshark with a root account to capture packets on an "untrusted" interface. See the Wireshark security advisories for reasons why.
See the list of interfaces on which tcpdump can listen:
tcpdump -D
Listen on interface eth0:
tcpdump -i eth0
Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater):
tcpdump -i any
Be verbose while capturing packets:
tcpdump -v
Be more verbose while capturing packets:
tcpdump -vv
Be very verbose while capturing packets:
tcpdump -vvv
Be verbose and print the data of each packet in both hex and ASCII, excluding the link level header:
tcpdump -v -X
Be verbose and print the data of each packet in both hex and ASCII, also including the link level header:
tcpdump -v -XX
Be less verbose (than the default) while capturing packets:
tcpdump -q
Limit the capture to 100 packets:
tcpdump -c 100
Record the packet capture to a file called capture.cap:
tcpdump -w capture.cap
Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:
tcpdump -v -w capture.cap
Display the packets of a file called capture.cap:
tcpdump -r capture.cap
Display the packets using maximum detail of a file called capture.cap:
tcpdump -vvv -r capture.cap
Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers):
tcpdump -n
Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:
tcpdump -n dst host 192.168.1.1
Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:
tcpdump -n src host 192.168.1.1
Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:
tcpdump -n host 192.168.1.1
Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:
tcpdump -n dst net 192.168.1.0/24
Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:
tcpdump -n src net 192.168.1.0/24
Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:
tcpdump -n net 192.168.1.0/24
Capture any packets where the destination port is 23. Display IP addresses and port numbers:
tcpdump -n dst port 23
Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
tcpdump -n dst portrange 1-1023
Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
tcpdump -n tcp dst portrange 1-1023
Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
tcpdump -n udp dst portrange 1-1023
Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:
tcpdump -n "dst host 192.168.1.1 and dst port 23"
Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:
tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"
Capture any ICMP packets:
tcpdump -v icmp
Capture any ARP packets:
tcpdump -v arp
Capture either ICMP or ARP packets:
tcpdump -v "icmp or arp"
Capture any packets that are broadcast or multicast:
tcpdump -n "broadcast or multicast"
Capture 500 bytes of data for each packet rather than the default of 68 bytes:
tcpdump -s 500
Capture all bytes of data within the packet:
tcpdump -s 0

ngrep

Search in a pcap file for a string on a that is set from a certain ip to a certain port

ngrep -I file.pcap -w "text2find" dst host $ip and port $port

Wireshark

https://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
WIRESHARK DISPLAY FILTERS · PART 1
Ethernet
eth.addr eth.len eth.src
eth.dst eth.lg eth.trailer
eth.ig eth.multicast eth.type
IEEE 802.1Q
vlan.cfi vlan.id vlan.priority
vlan.etype vlan.len vlan.trailer
IPv4
ARP
ip.addr ip.fragment.overlap.conflict
ip.checksum ip.fragment.toolongfragment
ip.checksum_bad ip.fragments
ip.checksum_good ip.hdr_len
ip.dsfield ip.host
ip.dsfield.ce ip.id
ip.dsfield.dscp ip.len
ip.dsfield.ect ip.proto
ip.dst ip.reassembled_in
ip.dst_host ip.src
ip.flags ip.src_host
ip.flags.df ip.tos
ip.flags.mf ip.tos.cost
ip.flags.rb ip.tos.delay
ip.frag_offset ip.tos.precedence
ip.fragment ip.tos.reliability
ip.fragment.error ip.tos.throughput
ip.fragment.multipletails ip.ttl
ip.fragment.overlap ip.version
IPv6
ipv6.addr ipv6.hop_opt
ipv6.class ipv6.host
ipv6.dst ipv6.mipv6_home_address
ipv6.dst_host ipv6.mipv6_length
ipv6.dst_opt ipv6.mipv6_type
ipv6.flow ipv6.nxt
ipv6.fragment ipv6.opt.pad1
ipv6.fragment.error ipv6.opt.padn
ipv6.fragment.more ipv6.plen
ipv6.fragment.multipletails ipv6.reassembled_in
ipv6.fragment.offset ipv6.routing_hdr
ipv6.fragment.overlap ipv6.routing_hdr.addr
ipv6.fragment.overlap.conflict ipv6.routing_hdr.left
ipv6.fragment.toolongfragment ipv6.routing_hdr.type
ipv6.fragments ipv6.src
ipv6.fragment.id ipv6.src_host
ipv6.hlim ipv6.version
arp.dst.hw_mac arp.proto.size
arp.dst.proto_ipv4 arp.proto.type
arp.hw.size arp.src.hw_mac
arp.hw.type arp.src.proto_ipv4
arp.opcode
TCP
tcp.ack tcp.options.qs
tcp.checksum tcp.options.sack
tcp.checksum_bad tcp.options.sack_le
tcp.checksum_good tcp.options.sack_perm
tcp.continuation_to tcp.options.sack_re
tcp.dstport tcp.options.time_stamp
tcp.flags tcp.options.wscale
tcp.flags.ack tcp.options.wscale_val
tcp.flags.cwr tcp.pdu.last_frame
tcp.flags.ecn tcp.pdu.size
tcp.flags.fin tcp.pdu.time
tcp.flags.push tcp.port
tcp.flags.reset tcp.reassembled_in
tcp.flags.syn tcp.segment
tcp.flags.urg tcp.segment.error
tcp.hdr_len tcp.segment.multipletails
tcp.len tcp.segment.overlap
tcp.nxtseq tcp.segment.overlap.conflict
tcp.options tcp.segment.toolongfragment
tcp.options.cc tcp.segments
tcp.options.ccecho tcp.seq
tcp.options.ccnew tcp.srcport
tcp.options.echo tcp.time_delta
tcp.options.echo_reply tcp.time_relative
tcp.options.md5 tcp.urgent_pointer
tcp.options.mss tcp.window_size
tcp.options.mss_val
UDP
udp.checksum udp.dstport udp.srcport
udp.checksum_bad udp.length
udp.checksum_good udp.port
Operators
eq or ==
ne or !=
gt or >
lt or <
ge or >=
le or <=
Logic
and or && Logical AND
or or || Logical OR
xor or ^^ Logical XOR
not or ! Logical NOT
[n] […] Substring operator
Frame Relay
fr.becn fr.de
fr.chdlctype fr.dlci
fr.control fr.dlcore_control
fr.control.f fr.ea
fr.control.ftype fr.fecn
fr.control.n_r fr.lower_dlci
fr.control.n_s fr.nlpid
fr.control.p fr.second_dlci
fr.control.s_ftype fr.snap.oui
fr.control.u_modifier_cmd fr.snap.pid
fr.control.u_modifier_resp fr.snaptype
fr.cr fr.third_dlci
fr.dc fr.upper_dlci
ICMPv6
icmpv6.all_comp
icmpv6.checksum
icmpv6.option.name_type.fqdn
icmpv6.option.name_x501
icmpv6.checksum_bad
icmpv6.code
icmpv6.option.rsa.key_hash
icmpv6.option.type
icmpv6.comp
icmpv6.haad.ha_addrs
icmpv6.ra.cur_hop_limit
icmpv6.ra.reachable_time
icmpv6.identifier
icmpv6.option
icmpv6.ra.retrans_timer
icmpv6.ra.router_lifetime
icmpv6.option.cga
icmpv6.option.length
icmpv6.recursive_dns_serv
icmpv6.type
icmpv6.option.name_type
RIP
BGP
bgp.aggregator_as bgp.mp_reach_nlri_ipv4_prefix
bgp.aggregator_origin bgp.mp_unreach_nlri_ipv4_prefix
bgp.as_path bgp.multi_exit_disc
bgp.cluster_identifier bgp.next_hop
bgp.cluster_list bgp.nlri_prefix
bgp.community_as bgp.origin
bgp.community_value bgp.originator_id
bgp.local_pref bgp.type
bgp.mp_nlri_tnl_id bgp.withdrawn_prefix
HTTP
http.accept http.proxy_authorization
http.accept_encoding http.proxy_connect_host
http.accept_language http.proxy_connect_port
http.authbasic http.referer
http.authorization http.request
http.cache_control http.request.method
http.connection http.request.uri
http.content_encoding http.request.version
http.content_length http.response
http.content_type http.response.code
http.cookie http.server
http.date http.set_cookie
http.host http.transfer_encoding
http.last_modified http.user_agent
http.location http.www_authenticate
http.notification http.x_forwarded_for
http.proxy_authenticate
PPP
ppp.address ppp.direction
ppp.control ppp.protocol
rip.auth.passwd rip.ip rip.route_tag
rip.auth.type rip.metric rip.routing_domain
rip.command rip.netmask rip.version
rip.family rip.next_hop
MPLS
mpls.bottom mpls.oam.defect_location
mpls.cw.control mpls.oam.defect_type
mpls.cw.res mpls.oam.frequency
mpls.exp mpls.oam.function_type
mpls.label mpls.oam.ttsi
mpls.oam.bip16 mpls.ttl
ICMP
icmp.checksum icmp.ident icmp.seq
icmp.checksum_bad icmp.mtu icmp.type
icmp.code icmp.redir_gw
DTP
dtp.neighbor dtp.tlv_type vtp.neighbor
dtp.tlv_len dtp.version
VTP
vtp.code vtp.vlan_info.802_10_index
vtp.conf_rev_num vtp.vlan_info.isl_vlan_id
vtp.followers vtp.vlan_info.len
vtp.md vtp.vlan_info.mtu_size
vtp.md5_digest vtp.vlan_info.status.vlan_susp
vtp.md_len vtp.vlan_info.tlv_len
vtp.seq_num vtp.vlan_info.tlv_type
vtp.start_value vtp.vlan_info.vlan_name
vtp.upd_id vtp.vlan_info.vlan_name_len
vtp.upd_ts vtp.vlan_info.vlan_type
vtp.version
Previous
Buffer Overflow
Next
Cloud Pentesting
Last updated 9 months ago
Contents
ngrep
Wireshark