# TCP Dump and Wireshark Commands ``` https://www.rationallyparanoid.com/articles/tcpdump.html ``` ``` In most cases you will need root permission to be able to capture packets on an interface. Using tcpdump (with root) to capture the packets and saving them to a file to analyze with Wireshark (using a regular account) is recommended over using Wireshark with a root account to capture packets on an "untrusted" interface. See the Wireshark security advisories for reasons why. See the list of interfaces on which tcpdump can listen: tcpdump -D Listen on interface eth0: tcpdump -i eth0 Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater): tcpdump -i any Be verbose while capturing packets: tcpdump -v Be more verbose while capturing packets: tcpdump -vv Be very verbose while capturing packets: tcpdump -vvv Be verbose and print the data of each packet in both hex and ASCII, excluding the link level header: tcpdump -v -X Be verbose and print the data of each packet in both hex and ASCII, also including the link level header: tcpdump -v -XX Be less verbose (than the default) while capturing packets: tcpdump -q Limit the capture to 100 packets: tcpdump -c 100 Record the packet capture to a file called capture.cap: tcpdump -w capture.cap Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time: tcpdump -v -w capture.cap Display the packets of a file called capture.cap: tcpdump -r capture.cap Display the packets using maximum detail of a file called capture.cap: tcpdump -vvv -r capture.cap Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers): tcpdump -n Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers: tcpdump -n dst host 192.168.1.1 Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers: tcpdump -n src host 192.168.1.1 Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers: tcpdump -n host 192.168.1.1 Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers: tcpdump -n dst net 192.168.1.0/24 Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers: tcpdump -n src net 192.168.1.0/24 Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers: tcpdump -n net 192.168.1.0/24 Capture any packets where the destination port is 23. Display IP addresses and port numbers: tcpdump -n dst port 23 Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers: tcpdump -n dst portrange 1-1023 Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers: tcpdump -n tcp dst portrange 1-1023 Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers: tcpdump -n udp dst portrange 1-1023 Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers: tcpdump -n "dst host 192.168.1.1 and dst port 23" Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers: tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)" Capture any ICMP packets: tcpdump -v icmp Capture any ARP packets: tcpdump -v arp Capture either ICMP or ARP packets: tcpdump -v "icmp or arp" Capture any packets that are broadcast or multicast: tcpdump -n "broadcast or multicast" Capture 500 bytes of data for each packet rather than the default of 68 bytes: tcpdump -s 500 Capture all bytes of data within the packet: tcpdump -s 0 ``` ## ngrep Search in a pcap file for a string on a that is set from a certain ip to a certain port ``` ngrep -I file.pcap -w "text2find" dst host $ip and port $port ``` ## Wireshark ``` https://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf ``` ``` WIRESHARK DISPLAY FILTERS · PART 1 Ethernet eth.addr eth.len eth.src eth.dst eth.lg eth.trailer eth.ig eth.multicast eth.type IEEE 802.1Q vlan.cfi vlan.id vlan.priority vlan.etype vlan.len vlan.trailer IPv4 ARP ip.addr ip.fragment.overlap.conflict ip.checksum ip.fragment.toolongfragment ip.checksum_bad ip.fragments ip.checksum_good ip.hdr_len ip.dsfield ip.host ip.dsfield.ce ip.id ip.dsfield.dscp ip.len ip.dsfield.ect ip.proto ip.dst ip.reassembled_in ip.dst_host ip.src ip.flags ip.src_host ip.flags.df ip.tos ip.flags.mf ip.tos.cost ip.flags.rb ip.tos.delay ip.frag_offset ip.tos.precedence ip.fragment ip.tos.reliability ip.fragment.error ip.tos.throughput ip.fragment.multipletails ip.ttl ip.fragment.overlap ip.version IPv6 ipv6.addr ipv6.hop_opt ipv6.class ipv6.host ipv6.dst ipv6.mipv6_home_address ipv6.dst_host ipv6.mipv6_length ipv6.dst_opt ipv6.mipv6_type ipv6.flow ipv6.nxt ipv6.fragment ipv6.opt.pad1 ipv6.fragment.error ipv6.opt.padn ipv6.fragment.more ipv6.plen ipv6.fragment.multipletails ipv6.reassembled_in ipv6.fragment.offset ipv6.routing_hdr ipv6.fragment.overlap ipv6.routing_hdr.addr ipv6.fragment.overlap.conflict ipv6.routing_hdr.left ipv6.fragment.toolongfragment ipv6.routing_hdr.type ipv6.fragments ipv6.src ipv6.fragment.id ipv6.src_host ipv6.hlim ipv6.version arp.dst.hw_mac arp.proto.size arp.dst.proto_ipv4 arp.proto.type arp.hw.size arp.src.hw_mac arp.hw.type arp.src.proto_ipv4 arp.opcode TCP tcp.ack tcp.options.qs tcp.checksum tcp.options.sack tcp.checksum_bad tcp.options.sack_le tcp.checksum_good tcp.options.sack_perm tcp.continuation_to tcp.options.sack_re tcp.dstport tcp.options.time_stamp tcp.flags tcp.options.wscale tcp.flags.ack tcp.options.wscale_val tcp.flags.cwr tcp.pdu.last_frame tcp.flags.ecn tcp.pdu.size tcp.flags.fin tcp.pdu.time tcp.flags.push tcp.port tcp.flags.reset tcp.reassembled_in tcp.flags.syn tcp.segment tcp.flags.urg tcp.segment.error tcp.hdr_len tcp.segment.multipletails tcp.len tcp.segment.overlap tcp.nxtseq tcp.segment.overlap.conflict tcp.options tcp.segment.toolongfragment tcp.options.cc tcp.segments tcp.options.ccecho tcp.seq tcp.options.ccnew tcp.srcport tcp.options.echo tcp.time_delta tcp.options.echo_reply tcp.time_relative tcp.options.md5 tcp.urgent_pointer tcp.options.mss tcp.window_size tcp.options.mss_val UDP udp.checksum udp.dstport udp.srcport udp.checksum_bad udp.length udp.checksum_good udp.port Operators eq or == ne or != gt or > lt or < ge or >= le or <= Logic and or && Logical AND or or || Logical OR xor or ^^ Logical XOR not or ! Logical NOT [n] […] Substring operator Frame Relay fr.becn fr.de fr.chdlctype fr.dlci fr.control fr.dlcore_control fr.control.f fr.ea fr.control.ftype fr.fecn fr.control.n_r fr.lower_dlci fr.control.n_s fr.nlpid fr.control.p fr.second_dlci fr.control.s_ftype fr.snap.oui fr.control.u_modifier_cmd fr.snap.pid fr.control.u_modifier_resp fr.snaptype fr.cr fr.third_dlci fr.dc fr.upper_dlci ICMPv6 icmpv6.all_comp icmpv6.checksum icmpv6.option.name_type.fqdn icmpv6.option.name_x501 icmpv6.checksum_bad icmpv6.code icmpv6.option.rsa.key_hash icmpv6.option.type icmpv6.comp icmpv6.haad.ha_addrs icmpv6.ra.cur_hop_limit icmpv6.ra.reachable_time icmpv6.identifier icmpv6.option icmpv6.ra.retrans_timer icmpv6.ra.router_lifetime icmpv6.option.cga icmpv6.option.length icmpv6.recursive_dns_serv icmpv6.type icmpv6.option.name_type RIP BGP bgp.aggregator_as bgp.mp_reach_nlri_ipv4_prefix bgp.aggregator_origin bgp.mp_unreach_nlri_ipv4_prefix bgp.as_path bgp.multi_exit_disc bgp.cluster_identifier bgp.next_hop bgp.cluster_list bgp.nlri_prefix bgp.community_as bgp.origin bgp.community_value bgp.originator_id bgp.local_pref bgp.type bgp.mp_nlri_tnl_id bgp.withdrawn_prefix HTTP http.accept http.proxy_authorization http.accept_encoding http.proxy_connect_host http.accept_language http.proxy_connect_port http.authbasic http.referer http.authorization http.request http.cache_control http.request.method http.connection http.request.uri http.content_encoding http.request.version http.content_length http.response http.content_type http.response.code http.cookie http.server http.date http.set_cookie http.host http.transfer_encoding http.last_modified http.user_agent http.location http.www_authenticate http.notification http.x_forwarded_for http.proxy_authenticate PPP ppp.address ppp.direction ppp.control ppp.protocol rip.auth.passwd rip.ip rip.route_tag rip.auth.type rip.metric rip.routing_domain rip.command rip.netmask rip.version rip.family rip.next_hop MPLS mpls.bottom mpls.oam.defect_location mpls.cw.control mpls.oam.defect_type mpls.cw.res mpls.oam.frequency mpls.exp mpls.oam.function_type mpls.label mpls.oam.ttsi mpls.oam.bip16 mpls.ttl ICMP icmp.checksum icmp.ident icmp.seq icmp.checksum_bad icmp.mtu icmp.type icmp.code icmp.redir_gw DTP dtp.neighbor dtp.tlv_type vtp.neighbor dtp.tlv_len dtp.version VTP vtp.code vtp.vlan_info.802_10_index vtp.conf_rev_num vtp.vlan_info.isl_vlan_id vtp.followers vtp.vlan_info.len vtp.md vtp.vlan_info.mtu_size vtp.md5_digest vtp.vlan_info.status.vlan_susp vtp.md_len vtp.vlan_info.tlv_len vtp.seq_num vtp.vlan_info.tlv_type vtp.start_value vtp.vlan_info.vlan_name vtp.upd_id vtp.vlan_info.vlan_name_len vtp.upd_ts vtp.vlan_info.vlan_type vtp.version ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://guide.offsecnewbie.com/tcp-dump-commands.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.