www.OffSecNewbie.com
Search…
Intro
Pre-engagement
General methodology
OSCP Templates
Recon
Attack Types
Network
Shells
Port Forwarding / SSH Tunneling
Transferring files
Web
SQL
Password cracking
Useful Linux Commands
Android
Buffer Overflow
TCP Dump and Wireshark Commands
Cloud Pentesting
Privilege Escalation
Linux
Windows
Kali Configuration
My bash Profile Files
Terminator Configuration
Tmux Configuration
Fish Config
Useful things to Install
VSCode Configuration
Automated
Tools
Videos
My Youtube Channel
IppSec Videos
The Cyber Mentor
VMs Similar to OSCP
Machines Similar to OSCP
Search Ippsec's Videos
Search Ippsec's Videos
Pcap Analysis
Pcap analysis
RegEx
MSFvenom Cheetsheet
Support me
Donate
Powered By GitBook
TCP Dump and Wireshark Commands
1
https://www.rationallyparanoid.com/articles/tcpdump.html
Copied!
1
In most cases you will need root permission to be able to capture packets on an interface. Using tcpdump (with root) to capture the packets and saving them to a file to analyze with Wireshark (using a regular account) is recommended over using Wireshark with a root account to capture packets on an "untrusted" interface. See the Wireshark security advisories for reasons why.
2
​
3
See the list of interfaces on which tcpdump can listen:
4
​
5
tcpdump -D
6
Listen on interface eth0:
7
​
8
tcpdump -i eth0
9
Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater):
10
​
11
tcpdump -i any
12
Be verbose while capturing packets:
13
​
14
tcpdump -v
15
Be more verbose while capturing packets:
16
​
17
tcpdump -vv
18
Be very verbose while capturing packets:
19
​
20
tcpdump -vvv
21
Be verbose and print the data of each packet in both hex and ASCII, excluding the link level header:
22
​
23
tcpdump -v -X
24
Be verbose and print the data of each packet in both hex and ASCII, also including the link level header:
25
​
26
tcpdump -v -XX
27
Be less verbose (than the default) while capturing packets:
28
​
29
tcpdump -q
30
Limit the capture to 100 packets:
31
​
32
tcpdump -c 100
33
Record the packet capture to a file called capture.cap:
34
​
35
tcpdump -w capture.cap
36
Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:
37
​
38
tcpdump -v -w capture.cap
39
Display the packets of a file called capture.cap:
40
​
41
tcpdump -r capture.cap
42
Display the packets using maximum detail of a file called capture.cap:
43
​
44
tcpdump -vvv -r capture.cap
45
Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers):
46
​
47
tcpdump -n
48
Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:
49
​
50
tcpdump -n dst host 192.168.1.1
51
Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:
52
​
53
tcpdump -n src host 192.168.1.1
54
Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:
55
​
56
tcpdump -n host 192.168.1.1
57
Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:
58
​
59
tcpdump -n dst net 192.168.1.0/24
60
Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:
61
​
62
tcpdump -n src net 192.168.1.0/24
63
Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:
64
​
65
tcpdump -n net 192.168.1.0/24
66
Capture any packets where the destination port is 23. Display IP addresses and port numbers:
67
​
68
tcpdump -n dst port 23
69
Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
70
​
71
tcpdump -n dst portrange 1-1023
72
Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
73
​
74
tcpdump -n tcp dst portrange 1-1023
75
Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
76
​
77
tcpdump -n udp dst portrange 1-1023
78
Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:
79
​
80
tcpdump -n "dst host 192.168.1.1 and dst port 23"
81
Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:
82
​
83
tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"
84
Capture any ICMP packets:
85
​
86
tcpdump -v icmp
87
Capture any ARP packets:
88
​
89
tcpdump -v arp
90
Capture either ICMP or ARP packets:
91
​
92
tcpdump -v "icmp or arp"
93
Capture any packets that are broadcast or multicast:
94
​
95
tcpdump -n "broadcast or multicast"
96
Capture 500 bytes of data for each packet rather than the default of 68 bytes:
97
​
98
tcpdump -s 500
99
Capture all bytes of data within the packet:
100
​
101
tcpdump -s 0
Copied!

ngrep

Search in a pcap file for a string on a that is set from a certain ip to a certain port
1
ngrep -I file.pcap -w "text2find" dst host $ip and port $port
Copied!

Wireshark

1
https://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
Copied!
1
WIRESHARK DISPLAY FILTERS · PART 1
2
Ethernet
3
eth.addr eth.len eth.src
4
eth.dst eth.lg eth.trailer
5
eth.ig eth.multicast eth.type
6
IEEE 802.1Q
7
vlan.cfi vlan.id vlan.priority
8
vlan.etype vlan.len vlan.trailer
9
IPv4
10
​
11
ARP
12
ip.addr ip.fragment.overlap.conflict
13
ip.checksum ip.fragment.toolongfragment
14
ip.checksum_bad ip.fragments
15
ip.checksum_good ip.hdr_len
16
ip.dsfield ip.host
17
ip.dsfield.ce ip.id
18
ip.dsfield.dscp ip.len
19
ip.dsfield.ect ip.proto
20
ip.dst ip.reassembled_in
21
ip.dst_host ip.src
22
ip.flags ip.src_host
23
ip.flags.df ip.tos
24
ip.flags.mf ip.tos.cost
25
ip.flags.rb ip.tos.delay
26
ip.frag_offset ip.tos.precedence
27
ip.fragment ip.tos.reliability
28
ip.fragment.error ip.tos.throughput
29
ip.fragment.multipletails ip.ttl
30
ip.fragment.overlap ip.version
31
​
32
IPv6
33
ipv6.addr ipv6.hop_opt
34
ipv6.class ipv6.host
35
ipv6.dst ipv6.mipv6_home_address
36
ipv6.dst_host ipv6.mipv6_length
37
ipv6.dst_opt ipv6.mipv6_type
38
ipv6.flow ipv6.nxt
39
ipv6.fragment ipv6.opt.pad1
40
ipv6.fragment.error ipv6.opt.padn
41
ipv6.fragment.more ipv6.plen
42
ipv6.fragment.multipletails ipv6.reassembled_in
43
ipv6.fragment.offset ipv6.routing_hdr
44
ipv6.fragment.overlap ipv6.routing_hdr.addr
45
ipv6.fragment.overlap.conflict ipv6.routing_hdr.left
46
ipv6.fragment.toolongfragment ipv6.routing_hdr.type
47
ipv6.fragments ipv6.src
48
ipv6.fragment.id ipv6.src_host
49
ipv6.hlim ipv6.version
50
arp.dst.hw_mac arp.proto.size
51
arp.dst.proto_ipv4 arp.proto.type
52
arp.hw.size arp.src.hw_mac
53
arp.hw.type arp.src.proto_ipv4
54
arp.opcode
55
​
56
TCP
57
tcp.ack tcp.options.qs
58
tcp.checksum tcp.options.sack
59
tcp.checksum_bad tcp.options.sack_le
60
tcp.checksum_good tcp.options.sack_perm
61
tcp.continuation_to tcp.options.sack_re
62
tcp.dstport tcp.options.time_stamp
63
tcp.flags tcp.options.wscale
64
tcp.flags.ack tcp.options.wscale_val
65
tcp.flags.cwr tcp.pdu.last_frame
66
tcp.flags.ecn tcp.pdu.size
67
tcp.flags.fin tcp.pdu.time
68
tcp.flags.push tcp.port
69
tcp.flags.reset tcp.reassembled_in
70
tcp.flags.syn tcp.segment
71
tcp.flags.urg tcp.segment.error
72
tcp.hdr_len tcp.segment.multipletails
73
tcp.len tcp.segment.overlap
74
tcp.nxtseq tcp.segment.overlap.conflict
75
tcp.options tcp.segment.toolongfragment
76
tcp.options.cc tcp.segments
77
tcp.options.ccecho tcp.seq
78
tcp.options.ccnew tcp.srcport
79
tcp.options.echo tcp.time_delta
80
tcp.options.echo_reply tcp.time_relative
81
tcp.options.md5 tcp.urgent_pointer
82
tcp.options.mss tcp.window_size
83
tcp.options.mss_val
84
​
85
UDP
86
udp.checksum udp.dstport udp.srcport
87
udp.checksum_bad udp.length
88
udp.checksum_good udp.port
89
Operators
90
eq or ==
91
ne or !=
92
gt or >
93
lt or <
94
ge or >=
95
le or <=
96
Logic
97
and or && Logical AND
98
or or || Logical OR
99
xor or ^^ Logical XOR
100
not or ! Logical NOT
101
[n] […] Substring operator
102
​
103
Frame Relay
104
fr.becn fr.de
105
fr.chdlctype fr.dlci
106
fr.control fr.dlcore_control
107
fr.control.f fr.ea
108
fr.control.ftype fr.fecn
109
fr.control.n_r fr.lower_dlci
110
fr.control.n_s fr.nlpid
111
fr.control.p fr.second_dlci
112
fr.control.s_ftype fr.snap.oui
113
fr.control.u_modifier_cmd fr.snap.pid
114
fr.control.u_modifier_resp fr.snaptype
115
fr.cr fr.third_dlci
116
fr.dc fr.upper_dlci
117
​
118
ICMPv6
119
icmpv6.all_comp
120
icmpv6.checksum
121
icmpv6.option.name_type.fqdn
122
icmpv6.option.name_x501
123
icmpv6.checksum_bad
124
icmpv6.code
125
icmpv6.option.rsa.key_hash
126
icmpv6.option.type
127
icmpv6.comp
128
icmpv6.haad.ha_addrs
129
icmpv6.ra.cur_hop_limit
130
icmpv6.ra.reachable_time
131
icmpv6.identifier
132
icmpv6.option
133
icmpv6.ra.retrans_timer
134
icmpv6.ra.router_lifetime
135
icmpv6.option.cga
136
icmpv6.option.length
137
icmpv6.recursive_dns_serv
138
icmpv6.type
139
icmpv6.option.name_type
140
RIP
141
​
142
BGP
143
bgp.aggregator_as bgp.mp_reach_nlri_ipv4_prefix
144
bgp.aggregator_origin bgp.mp_unreach_nlri_ipv4_prefix
145
bgp.as_path bgp.multi_exit_disc
146
bgp.cluster_identifier bgp.next_hop
147
bgp.cluster_list bgp.nlri_prefix
148
bgp.community_as bgp.origin
149
bgp.community_value bgp.originator_id
150
bgp.local_pref bgp.type
151
bgp.mp_nlri_tnl_id bgp.withdrawn_prefix
152
​
153
HTTP
154
http.accept http.proxy_authorization
155
http.accept_encoding http.proxy_connect_host
156
http.accept_language http.proxy_connect_port
157
http.authbasic http.referer
158
http.authorization http.request
159
http.cache_control http.request.method
160
http.connection http.request.uri
161
http.content_encoding http.request.version
162
http.content_length http.response
163
http.content_type http.response.code
164
http.cookie http.server
165
http.date http.set_cookie
166
http.host http.transfer_encoding
167
http.last_modified http.user_agent
168
http.location http.www_authenticate
169
http.notification http.x_forwarded_for
170
http.proxy_authenticate
171
PPP
172
ppp.address ppp.direction
173
ppp.control ppp.protocol
174
rip.auth.passwd rip.ip rip.route_tag
175
rip.auth.type rip.metric rip.routing_domain
176
rip.command rip.netmask rip.version
177
rip.family rip.next_hop
178
​
179
MPLS
180
mpls.bottom mpls.oam.defect_location
181
mpls.cw.control mpls.oam.defect_type
182
mpls.cw.res mpls.oam.frequency
183
mpls.exp mpls.oam.function_type
184
mpls.label mpls.oam.ttsi
185
mpls.oam.bip16 mpls.ttl
186
​
187
ICMP
188
icmp.checksum icmp.ident icmp.seq
189
icmp.checksum_bad icmp.mtu icmp.type
190
icmp.code icmp.redir_gw
191
​
192
DTP
193
dtp.neighbor dtp.tlv_type vtp.neighbor
194
dtp.tlv_len dtp.version
195
​
196
VTP
197
vtp.code vtp.vlan_info.802_10_index
198
vtp.conf_rev_num vtp.vlan_info.isl_vlan_id
199
vtp.followers vtp.vlan_info.len
200
vtp.md vtp.vlan_info.mtu_size
201
vtp.md5_digest vtp.vlan_info.status.vlan_susp
202
vtp.md_len vtp.vlan_info.tlv_len
203
vtp.seq_num vtp.vlan_info.tlv_type
204
vtp.start_value vtp.vlan_info.vlan_name
205
vtp.upd_id vtp.vlan_info.vlan_name_len
206
vtp.upd_ts vtp.vlan_info.vlan_type
207
vtp.version
Copied!
Previous
Buffer Overflow
Next
Cloud Pentesting
Last modified 1yr ago
Copy link
Contents
ngrep
Wireshark