Created
March 8, 2020 11:12
-
-
Save Sakib37/0284660da0f8e0c2be6ed14eef9e66e2 to your computer and use it in GitHub Desktop.
Helpful command for tcpdump
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Source: https://opensource.com/article/18/10/introduction-tcpdump | |
| # Install tcpdump | |
| sudo apt install -y tcpdump | |
| # Check available interfaces | |
| sudo tcpdump -D | |
| # Capture packets for all interfaces | |
| sudo tcpdump -i any | |
| sudo tcpdump -i eth0 | |
| # Capture IPv6 traffic | |
| sudo tcpdump -nn ip6 | |
| # Limit number of packets to be captured | |
| sudo tcpdump -i any -c 5 | |
| # Disable name resolution by using the option -n and port resolution with -nn | |
| sudo tcpdump -i any -c5 -nn | |
| # Limit capture to only packets related to a specific host by using the host filter | |
| sudo tcpdump -i any -c5 -nn host 54.204.39.132 | |
| # To filter packets based on protocol, specifying the protocol in the command line | |
| sudo tcpdump -i any -c5 icmp | |
| # To filter packets based on the desired service or port, use the port filter | |
| sudo tcpdump -i any -c5 -nn port 80 | |
| # Filter packets based on the source or destination IP Address or hostname | |
| sudo tcpdump -i any -c5 -nn src 192.168.122.98 | |
| sudo tcpdump -i any -c5 -nn dst 192.168.122.98 | |
| # You can also combine filters by using the logical operators and and or to create more complex expressions | |
| sudo tcpdump -i any -c5 -nn src 192.168.122.98 and port 80 | |
| # You can create more complex expressions by grouping filter with parentheses. In this case, enclose the entire filter | |
| expression with quotation marks to prevent the shell from confusing them with shell expressions | |
| sudo tcpdump -i any -c5 -nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)" | |
| # To see the packet content, tcpdump provides two additional flags: -X to print content in hex, and ASCII or -A to print | |
| the content in ASCII. To see the http content of a web request | |
| sudo tcpdump -i any -c10 -nn -A port 80 | |
| # To save packets to a file instead of displaying them on screen, use the option -w | |
| sudo tcpdump -i any -c10 -nn -w webserver.pcap port 80 | |
| # Tcpdump creates a file in binary format so you cannot simply open it with a text editor. To read the contents of the | |
| file, execute tcpdump with the -r option | |
| tcpdump -nn -r webserver.pcap | |
| source: https://hackertarget.com/tcpdump-examples/ | |
| # Extract HTTP Request URL's | |
| sudo tcpdump -i any -Avnl | egrep -i "POST /|GET /|Host:" | |
| # Extract HTTP Passwords in POST Requests | |
| sudo tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:" | |
| # Capture all plaintext passwords | |
| sudo tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | \ | |
| egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment