Link to this headingTCPDump

Listen to specific interface:

tcpdump –i eth0

Write to a file:

tcpdump –i eth0 –w packets.pcap

Show the first 10 packets of a capture:

tcpdump –r packets.pcap –c10

Show hexdump of first packet:

tcpdump –Xr packets.pcap

Link to this headingtshark

Show Interfaces:

C:\Program Files\Wireshark>tshark -D 1. \Device\NPF_{1DE095C2-346D-47E6-B855-11917B74603A} (Local Area Connection* 2) 2. \Device\NPF_{1A494418-97D3-42E8-8C0B-78D79A1F7545} (Ethernet 2)

Listen to specific interface:

C:\Program Files\Wireshark>tshark –i 1

Write to a file:

tshark –i 1 –w packets.pcap

Show the first 10 packets of a capture:

tshark –r packets.pcap –c10

Link to this headingWireshark

Search for Data in whole PCAP:

frame matches "127.0.0.1"

Link to this headingSSL

Use to store the negotiated SSL keys

Linux:

export SSLKEYLOGFILE='/root/session.log'

Windows:

chrome --ssl-key-log-file=C:\tmp\sslkeys.txt

Link to this headingUsing a custom host file

Edit -> Preferences -> Name Resolution -> and select Only use the
profile “hosts” file.

  • Windows: \Application Data\Wireshark\hosts
  • OS X: /Users//.wireshark/hosts
  • Linux: /home//.wireshark/hosts

Link to this headingFlow Graphing

Statistics -> Flow Graph

Link to this headingScripting

Below is an example of a scripting

arp_cache.lua

do --filter on either arp or IP packets (so all packets with a MAC to IP mapping) local new_filter = "arp || ip" -- we want the src of the arp packet (remember arp doesn't have an IP header) local arp_ip = Field.new("arp.src.proto_ipv4") local eth_src = Field.new("eth.src") local ip_src = Field.new("ip.src") -- create an empty table that will become our ip to mac address mapping local arp_cache = {} -- create our function to run that creates the listener local function init_listener() -- create our listner, filtering on either ARP or IP packets local tap = Listener.new(nil, new_filter) --called for every packet function tap.packet(pinfo, tvb) -- create the local variables holding our fields local arpip = arp_ip() local ethsrc = eth_src() local ipsrc = ip_src() -- explicity checking to see arpip does not equal nil if tostring(arpip) ~= "nil" then -- if it isn't nil then we pull the ARP source IP and map it to the MAC address in the Ethernet Source field arp_cache[tostring(arpip)] = tostring(ethsrc) else -- if the ARP source IP field is nil then we get -- access to the packet source via pinfo which is how we access columns -- and map it to the Ethernet Source field (MAC address) arp_cache[tostring(ip.src)] = tostring(ethsrc) --end of main if block end --end of tap.packet() end -- just defining an empty tap.reset function function tap.reset() --end of tap.reset() end -- define the draw function to print out our created arp cache. function tap.draw() -- iterate over the keys/values within our arp_cache table and print out the IP to MAC mapping for ip,mac in pairs(arp_cache) do print("[*] (" .. ip .. ") at " .. mac) --end of for block end --end of tap.draw() end --end of init_listener() end -- call the init_listener function init_listener() --end of everything end