TCP Dump and Wireshark Commands
1
https://www.rationallyparanoid.com/articles/tcpdump.html
Copied!
1
In most cases you will need root permission to be able to capture packets on an interface. Using tcpdump (with root) to capture the packets and saving them to a file to analyze with Wireshark (using a regular account) is recommended over using Wireshark with a root account to capture packets on an "untrusted" interface. See the Wireshark security advisories for reasons why.
2
3
See the list of interfaces on which tcpdump can listen:
4
5
tcpdump -D
6
Listen on interface eth0:
7
8
tcpdump -i eth0
9
Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater):
10
11
tcpdump -i any
12
Be verbose while capturing packets:
13
14
tcpdump -v
15
Be more verbose while capturing packets:
16
17
tcpdump -vv
18
Be very verbose while capturing packets:
19
20
tcpdump -vvv
21
Be verbose and print the data of each packet in both hex and ASCII, excluding the link level header:
22
23
tcpdump -v -X
24
Be verbose and print the data of each packet in both hex and ASCII, also including the link level header:
25
26
tcpdump -v -XX
27
Be less verbose (than the default) while capturing packets:
28
29
tcpdump -q
30
Limit the capture to 100 packets:
31
32
tcpdump -c 100
33
Record the packet capture to a file called capture.cap:
34
35
tcpdump -w capture.cap
36
Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:
37
38
tcpdump -v -w capture.cap
39
Display the packets of a file called capture.cap:
40
41
tcpdump -r capture.cap
42
Display the packets using maximum detail of a file called capture.cap:
43
44
tcpdump -vvv -r capture.cap
45
Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers):
46
47
tcpdump -n
48
Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:
49
50
tcpdump -n dst host 192.168.1.1
51
Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:
52
53
tcpdump -n src host 192.168.1.1
54
Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:
55
56
tcpdump -n host 192.168.1.1
57
Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:
58
59
tcpdump -n dst net 192.168.1.0/24
60
Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:
61
62
tcpdump -n src net 192.168.1.0/24
63
Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:
64
65
tcpdump -n net 192.168.1.0/24
66
Capture any packets where the destination port is 23. Display IP addresses and port numbers:
67
68
tcpdump -n dst port 23
69
Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
70
71
tcpdump -n dst portrange 1-1023
72
Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
73
74
tcpdump -n tcp dst portrange 1-1023
75
Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
76
77
tcpdump -n udp dst portrange 1-1023
78
Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:
79
80
tcpdump -n "dst host 192.168.1.1 and dst port 23"
81
Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:
82
83
tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"
84
Capture any ICMP packets:
85
86
tcpdump -v icmp
87
Capture any ARP packets:
88
89
tcpdump -v arp
90
Capture either ICMP or ARP packets:
91
92
tcpdump -v "icmp or arp"
93
Capture any packets that are broadcast or multicast:
94
95
tcpdump -n "broadcast or multicast"
96
Capture 500 bytes of data for each packet rather than the default of 68 bytes:
97
98
tcpdump -s 500
99
Capture all bytes of data within the packet:
100
101
tcpdump -s 0
Copied!

ngrep

Search in a pcap file for a string on a that is set from a certain ip to a certain port
1
ngrep -I file.pcap -w "text2find" dst host $ip and port $port
Copied!

Wireshark

1
https://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
Copied!
1
WIRESHARK DISPLAY FILTERS · PART 1
2
Ethernet
3
eth.addr eth.len eth.src
4
eth.dst eth.lg eth.trailer
5
eth.ig eth.multicast eth.type
6
IEEE 802.1Q
7
vlan.cfi vlan.id vlan.priority
8
vlan.etype vlan.len vlan.trailer
9
IPv4
10
11
ARP
12
ip.addr ip.fragment.overlap.conflict
13
ip.checksum ip.fragment.toolongfragment
14
ip.checksum_bad ip.fragments
15
ip.checksum_good ip.hdr_len
16
ip.dsfield ip.host
17
ip.dsfield.ce ip.id
18
ip.dsfield.dscp ip.len
19
ip.dsfield.ect ip.proto
20
ip.dst ip.reassembled_in
21
ip.dst_host ip.src
22
ip.flags ip.src_host
23
ip.flags.df ip.tos
24
ip.flags.mf ip.tos.cost
25
ip.flags.rb ip.tos.delay
26
ip.frag_offset ip.tos.precedence
27
ip.fragment ip.tos.reliability
28
ip.fragment.error ip.tos.throughput
29
ip.fragment.multipletails ip.ttl
30
ip.fragment.overlap ip.version
31
32
IPv6
33
ipv6.addr ipv6.hop_opt
34
ipv6.class ipv6.host
35
ipv6.dst ipv6.mipv6_home_address
36
ipv6.dst_host ipv6.mipv6_length
37
ipv6.dst_opt ipv6.mipv6_type
38
ipv6.flow ipv6.nxt
39
ipv6.fragment ipv6.opt.pad1
40
ipv6.fragment.error ipv6.opt.padn
41
ipv6.fragment.more ipv6.plen
42
ipv6.fragment.multipletails ipv6.reassembled_in
43
ipv6.fragment.offset ipv6.routing_hdr
44
ipv6.fragment.overlap ipv6.routing_hdr.addr
45
ipv6.fragment.overlap.conflict ipv6.routing_hdr.left
46
ipv6.fragment.toolongfragment ipv6.routing_hdr.type
47
ipv6.fragments ipv6.src
48
ipv6.fragment.id ipv6.src_host
49
ipv6.hlim ipv6.version
50
arp.dst.hw_mac arp.proto.size
51
arp.dst.proto_ipv4 arp.proto.type
52
arp.hw.size arp.src.hw_mac
53
arp.hw.type arp.src.proto_ipv4
54
arp.opcode
55
56
TCP
57
tcp.ack tcp.options.qs
58
tcp.checksum tcp.options.sack
59
tcp.checksum_bad tcp.options.sack_le
60
tcp.checksum_good tcp.options.sack_perm
61
tcp.continuation_to tcp.options.sack_re
62
tcp.dstport tcp.options.time_stamp
63
tcp.flags tcp.options.wscale
64
tcp.flags.ack tcp.options.wscale_val
65
tcp.flags.cwr tcp.pdu.last_frame
66
tcp.flags.ecn tcp.pdu.size
67
tcp.flags.fin tcp.pdu.time
68
tcp.flags.push tcp.port
69
tcp.flags.reset tcp.reassembled_in
70
tcp.flags.syn tcp.segment
71
tcp.flags.urg tcp.segment.error
72
tcp.hdr_len tcp.segment.multipletails
73
tcp.len tcp.segment.overlap
74
tcp.nxtseq tcp.segment.overlap.conflict
75
tcp.options tcp.segment.toolongfragment
76
tcp.options.cc tcp.segments
77
tcp.options.ccecho tcp.seq
78
tcp.options.ccnew tcp.srcport
79
tcp.options.echo tcp.time_delta
80
tcp.options.echo_reply tcp.time_relative
81
tcp.options.md5 tcp.urgent_pointer
82
tcp.options.mss tcp.window_size
83
tcp.options.mss_val
84
85
UDP
86
udp.checksum udp.dstport udp.srcport
87
udp.checksum_bad udp.length
88
udp.checksum_good udp.port
89
Operators
90
eq or ==
91
ne or !=
92
gt or >
93
lt or <
94
ge or >=
95
le or <=
96
Logic
97
and or && Logical AND
98
or or || Logical OR
99
xor or ^^ Logical XOR
100
not or ! Logical NOT
101
[n] […] Substring operator
102
103
Frame Relay
104
fr.becn fr.de
105
fr.chdlctype fr.dlci
106
fr.control fr.dlcore_control
107
fr.control.f fr.ea
108
fr.control.ftype fr.fecn
109
fr.control.n_r fr.lower_dlci
110
fr.control.n_s fr.nlpid
111
fr.control.p fr.second_dlci
112
fr.control.s_ftype fr.snap.oui
113
fr.control.u_modifier_cmd fr.snap.pid
114
fr.control.u_modifier_resp fr.snaptype
115
fr.cr fr.third_dlci
116
fr.dc fr.upper_dlci
117
118
ICMPv6
119
icmpv6.all_comp
120
icmpv6.checksum
121
icmpv6.option.name_type.fqdn
122
icmpv6.option.name_x501
123
icmpv6.checksum_bad
124
icmpv6.code
125
icmpv6.option.rsa.key_hash
126
icmpv6.option.type
127
icmpv6.comp
128
icmpv6.haad.ha_addrs
129
icmpv6.ra.cur_hop_limit
130
icmpv6.ra.reachable_time
131
icmpv6.identifier
132
icmpv6.option
133
icmpv6.ra.retrans_timer
134
icmpv6.ra.router_lifetime
135
icmpv6.option.cga
136
icmpv6.option.length
137
icmpv6.recursive_dns_serv
138
icmpv6.type
139
icmpv6.option.name_type
140
RIP
141
142
BGP
143
bgp.aggregator_as bgp.mp_reach_nlri_ipv4_prefix
144
bgp.aggregator_origin bgp.mp_unreach_nlri_ipv4_prefix
145
bgp.as_path bgp.multi_exit_disc
146
bgp.cluster_identifier bgp.next_hop
147
bgp.cluster_list bgp.nlri_prefix
148
bgp.community_as bgp.origin
149
bgp.community_value bgp.originator_id
150
bgp.local_pref bgp.type
151
bgp.mp_nlri_tnl_id bgp.withdrawn_prefix
152
153
HTTP
154
http.accept http.proxy_authorization
155
http.accept_encoding http.proxy_connect_host
156
http.accept_language http.proxy_connect_port
157
http.authbasic http.referer
158
http.authorization http.request
159
http.cache_control http.request.method
160
http.connection http.request.uri
161
http.content_encoding http.request.version
162
http.content_length http.response
163
http.content_type http.response.code
164
http.cookie http.server
165
http.date http.set_cookie
166
http.host http.transfer_encoding
167
http.last_modified http.user_agent
168
http.location http.www_authenticate
169
http.notification http.x_forwarded_for
170
http.proxy_authenticate
171
PPP
172
ppp.address ppp.direction
173
ppp.control ppp.protocol
174
rip.auth.passwd rip.ip rip.route_tag
175
rip.auth.type rip.metric rip.routing_domain
176
rip.command rip.netmask rip.version
177
rip.family rip.next_hop
178
179
MPLS
180
mpls.bottom mpls.oam.defect_location
181
mpls.cw.control mpls.oam.defect_type
182
mpls.cw.res mpls.oam.frequency
183
mpls.exp mpls.oam.function_type
184
mpls.label mpls.oam.ttsi
185
mpls.oam.bip16 mpls.ttl
186
187
ICMP
188
icmp.checksum icmp.ident icmp.seq
189
icmp.checksum_bad icmp.mtu icmp.type
190
icmp.code icmp.redir_gw
191
192
DTP
193
dtp.neighbor dtp.tlv_type vtp.neighbor
194
dtp.tlv_len dtp.version
195
196
VTP
197
vtp.code vtp.vlan_info.802_10_index
198
vtp.conf_rev_num vtp.vlan_info.isl_vlan_id
199
vtp.followers vtp.vlan_info.len
200
vtp.md vtp.vlan_info.mtu_size
201
vtp.md5_digest vtp.vlan_info.status.vlan_susp
202
vtp.md_len vtp.vlan_info.tlv_len
203
vtp.seq_num vtp.vlan_info.tlv_type
204
vtp.start_value vtp.vlan_info.vlan_name
205
vtp.upd_id vtp.vlan_info.vlan_name_len
206
vtp.upd_ts vtp.vlan_info.vlan_type
207
vtp.version
Copied!
Copy link