6 min read
Tcpdump
| Command | Description |
|---|---|
tcpdump --version | Prints the tcpdump and libpcap version strings then exits. |
tcpdump -h | Prints the help and usage information. |
tcpdump -D | Prints a list of usable network interfaces from which tcpdump can capture. |
tcpdump -i (interface name or #) | Executes tcpdump and utilizes the interface specified to capture on. |
tcpdump -i (int) -w file.pcap | Runs a capture on the specified interface and writes the output to a file. |
tcpdump -r file.pcap | TCPDump will read the output from a specified file. |
| `tcpdump -r/-w file.pcap -l \ | grep ‘string’` |
tcpdump -i (int) host (ip) | TCPDump will start a capture on the interface specified at (int) and will only capture traffic originating from or destined to the IP address or hostname specified after host. |
tcpdump -i (int) port (#) | Will filter the capture for anything sourcing from or destined to port (#) and discard the rest. |
tcpdump -i (int) proto (#) | Will filter the capture for any protocol traffic matching the (#). For example, (6) would filter for any TCP traffic and discard the rest. |
tcpdump -i (int) (proto name) | Will utilize a protocols common name to filter the traffic captured. TCP/UDP/ICMP as examples. |
Tcpdump Common Switches and Filters
| Switch/Filter | Description |
|---|---|
D | Will display any interfaces available to capture from. |
i | Selects an interface to capture from. ex. -i eth0 |
n | Do not resolve hostnames. |
nn | Do not resolve hostnames or well-known ports. |
e | Will grab the ethernet header along with upper-layer data. |
X | Show Contents of packets in hex and ASCII. |
XX | Same as X, but will also specify ethernet headers. (like using Xe) |
v, vv, vvv | Increase the verbosity of output shown and saved. |
c | Grab a specific number of packets, then quit the program. |
s | Defines how much of a packet to grab. |
S | change relative sequence numbers in the capture display to absolute sequence numbers. (13248765839 instead of 101) |
q | Print less protocol information. |
r file.pcap | Read from a file. |
w file.pcap | Write into a file |
host | Host will filter visible traffic to show anything involving the designated host. Bi-directional |
src / dest | src and dest are modifiers. We can use them to designate a source or destination host or port. |
net | net will show us any traffic sourcing from or destined to the network designated. It uses / notation. |
proto | will filter for a specific protocol type. (ether, TCP, UDP, and ICMP as examples) |
port | port is bi-directional. It will show any traffic with the specified port as the source or destination. |
portrange | Portrange allows us to specify a range of ports. (0-1024) |
less / greater "< >" | less and greater can be used to look for a packet or protocol option of a specific size. |
and / && | and && can be used to concatenate two different filters together. for example, src host AND port. |
or | or Or allows for a match on either of two conditions. It does not have to meet both. It can be tricky. |
not | not is a modifier saying anything but x. For example, not UDP. |
TShark
| Command | Description |
|---|---|
tshark -h | Prints the help menu. |
tshark -D | List available interfaces to capture from. |
tshark -i (int) | Capture on a selected interface. Replace (int) with the interface name or number. |
tshark -i eth0 -f "host (ip)" | apply a filter with (-f) looking for a specific host while utilizing tshark |
D | Will display any interfaces available to capture from and then exit out. |
L | Will list the Link-layer mediums you can capture from and then exit out. (ethernet as an example) |
i | choose an interface to capture from. (-i eth0) |
f | packet filter in libpcap syntax. Used during capture. |
c | Grab a specific number of packets, then quit the program. Defines a stop condition. |
a | Defines an autostop condition. It can be after a duration, specific file size, or after a certain number of packets. |
r (pcap-file) | Read from a file. |
W (pcap-file) | Write into a file using the pcapng format. |
P | Will print the packet summary while writing into a file (-W) |
x | will add Hex and ASCII output into the capture. |
h | See the help menu |
WireShark
| Capture Filter | Description |
|---|---|
host x.x.x.x | Capture only traffic pertaining to a certain host |
net x.x.x.x/24 | Capture traffic to or from a specific network (using slash notation to specify the mask) |
src/dst net x.x.x.x/24 | Using src or dst net will only capture traffic sourcing from the specified network or destined to the target network |
port # | will filter out all traffic except the port you specify |
not | will capture everything except the variable specified. ex. not port 80 |
and | AND will concatenate your specified ports. ex. host 192.168.1.1 and port 80 |
portrange x-x | Portrange will grab traffic from all ports within the range only |
ip / ether / tcp | These filters will only grab traffic from specified protocol headers. |
broadcast / multicast / unicast | Grabs a specific type of traffic. one to one, one to many, or one to all. |
| Display Filter | Description |
|---|---|
ip.addr == x.x.x.x | Capture only traffic pertaining to a certain host. This is an OR statement. |
ip.addr == x.x.x.x/24 | Capture traffic pertaining to a specific network. This is an OR statement. |
ip.src/dst == x.x.x.x | Capture traffic to or from a specific host. |
dns / tcp / ftp / arp / ip | filter traffic by a specific protocol. There are many more options. |
tcp.port == x | filter by a specific tcp port. |
src.port / dst.port ==x | will capture everything except the port specified. |
and / or / not | AND will concatenate, OR will find either of two options, NOT will exclude your input option. |
tcp.stream eq # | Allows us to follow a tcp session in which we captured the entire stream. Replace (#) with the session to reassemble. |
http | Will filter for any traffic matching the http protocol. |
http && image-jfif | This filter will display any packet with a jpeg image file. |
ftp | Filters for the ftp protocol. |
ftp.request.command | Will filter for any control commands sent over ftp control channel. |
ftp-data | Will show any objects transfered over ftp. |
Misc Commands
| Command | Description |
|---|---|
sudo * | Sudo will run the command that proceeds it with elevated privileges. |
which (application) | Utilizes which to determine if (application) is installed on the host. Replace the application with what you are looking for. ex. which tcpdump |
sudo apt install (application) | Uses elevated privileges to install an application package if it does not exist on the host. ex. sudo apt install wireshark |
man (application) | Displays the manual pages for an application. ex. man tcpdump. |
Common Ports and Protocols
| Port Number | Protocol | Description |
|---|---|---|
20 | FTP-Data | Data channel for passing FTP files. |
21 | FTP-Command | Control channel for issuing commands to an FTP server. |
22 | SSH | Secure Shell Service port. Provides secure remote communications |
23 | Telnet | Telnet service provides cleartext communications between hosts. |
25 | SMTP | Simple Mail Transfer protocol. Utilized for email transmissions between servers. |
53 | DNS | Domain Name Services. Provides name resolution with multiple protocols |
69 | TFTP | Trivial File Transfer Protocol. A lightweight, minimal-function transfer protocol. |
80 | HTTP | HyperText Transfer Protocol. Provides dynamic web services |
88 | Kerberos | Providing cryptographic network authentication |
110 | POP3 | Mail service utilized by clients to retrieve email from a server. |
111 | RPC | Remote Procedure Call. Remote service for managing network file systems. |
115 | SFTP | SSH File Transfer Protocol. An extension of SSH providing secure and reliable FTP services. |
123 | NTP | Network Time Protocol. Provides timing and sync services for network devices. |
137 | Netbios-NS | Local network name resolution. |
139 | Netbios-SSN | Provides session services for data transfer. Services like SMB can utilize it. |
179 | BGP | Border Gateway Protocol. BGP is a protocol for exchanging routing info with autonomous systems worldwide. |
389 | LDAP | Lightweight Directory Access Protocol. System agnostic authentication and authorization services. |
443 | HTTPS | HyperText Transfer Protocol Secure. An extension of HTTP utilizing SSL/TLS for encrypting the communications. |
445 | SMB | Server Message Block. SMB allows for the sharing of services, files, networking ports, and printers between hosts. |