Skip to content

TCPDump

TCPDump

Listen to specific interface:

tcpdump –i eth0

Write to a file:

tcpdump –i eth0 –w packets.pcap

Show the first 10 packets of a capture:

tcpdump –r packets.pcap –c10

Show hexdump of first packet:

tcpdump –Xr packets.pcap

tshark

Show Interfaces:

C:\Program Files\Wireshark>tshark -D
1. \Device\NPF_{1DE095C2-346D-47E6-B855-11917B74603A} (Local Area Connection*
2)
2. \Device\NPF_{1A494418-97D3-42E8-8C0B-78D79A1F7545} (Ethernet 2)

Listen to specific interface:

C:\Program Files\Wireshark>tshark i 1

Write to a file:

tshark i 1 w packets.pcap

Show the first 10 packets of a capture:

tshark –r packets.pcap –c10

Wireshark

Search for Data in whole PCAP:

frame matches "127.0.0.1"

SSL

Use to store the negotiated SSL keys

Linux:

export SSLKEYLOGFILE='/root/session.log'

Windows:

chrome --ssl-key-log-file=C:\tmp\sslkeys.txt

Using a custom host file

Edit -> Preferences -> Name Resolution -> and select Only use the
profile “hosts” file.

  • Windows: \Application Data\Wireshark\hosts
  • OS X: /Users//.wireshark/hosts
  • Linux: /home//.wireshark/hosts

Flow Graphing

Statistics -> Flow Graph

Scripting

Below is an example of a scripting

arp_cache.lua

do
	--filter on either arp or IP packets (so all packets with a MAC to IP mapping)
	local new_filter = "arp || ip"
	-- we want the src of the arp packet (remember arp doesn't have an IP header)
	local arp_ip = Field.new("arp.src.proto_ipv4")
	local eth_src = Field.new("eth.src")
	local ip_src = Field.new("ip.src")
	-- create an empty table that will become our ip to mac address mapping
	local arp_cache = {}
	-- create our function to run that creates the listener 

	local function init_listener()
		-- create our listner, filtering on either ARP or IP packets 
		local tap = Listener.new(nil, new_filter)
		--called for every packet
		function tap.packet(pinfo, tvb)
			-- create the local variables holding our fields
			local arpip = arp_ip()
			local ethsrc = eth_src()
			local ipsrc = ip_src()
			-- explicity checking to see arpip does not equal nil
			if tostring(arpip) ~= "nil" then
				-- if it isn't nil then we pull the ARP source IP and map it to the MAC address in the Ethernet Source field
				arp_cache[tostring(arpip)] = tostring(ethsrc)
			else
				-- if the ARP source IP field is nil then we get
				-- access to the packet source via pinfo which is how we access columns
				-- and map it to the Ethernet Source field (MAC address)
				arp_cache[tostring(ip.src)] = tostring(ethsrc)
				--end of main if block
			end
			--end of tap.packet()
		end


		-- just defining an empty tap.reset function
		function tap.reset()
			--end of tap.reset()
		end
	
		-- define the draw function to print out our created arp cache.
		function tap.draw()
			-- iterate over the keys/values within our arp_cache
			table and print out the IP to MAC mapping
			for ip,mac in pairs(arp_cache) do
				print("[*] (" .. ip .. ") at " .. mac)
				--end of for block
			end
			--end of tap.draw()
		end
		--end of init_listener()
	end

	-- call the init_listener function
	init_listener()

--end of everything
end