tcpdump and wireshark
Work In Progress
1. tcpdump
The tcpdump
tool allows you to sniff network packets being sent across
interfaces, even if they don’t use the TCP protocol.
You can see the details of each packet with the wireshark
tool, by opening a
package capture file (.pcap
) in wireshark, by piping tcpdump’s output
directly into wireshark, or by capturing the packets live, with wireshark,
directly.
Here is the manual page of tcpdump: https://www.tcpdump.org/manpages/tcpdump.1.html .
Example commands:
# This will ssh into a remote server, start there tcpdump as root(using sudo),
# then it will output everything to stdout, which is piped into a local
# wireshark instance, for viewing it in a nice GUI. Or just authenticate with a
# key as root directly.
echo password | SSHPASS=password sshpass -e ssh -o StrictHostKeyChecking=no \
user@server sudo -S tcpdump -i any -U -s0 -w - 'not port 22' |
sudo wireshark -k -i -
# Filter by host (both source or destination) and port
$ tcpdump host 192.168.0.2 and port 3306
# Capture and save to a file
$ tcpdump -w $(pwd)/my.pcap -U host 192.168.0.2 and port 3306
# Capture just 1 packet, and print the packet contents, not just the headers
$ tcpdump -c 1 -vvv -A host 192.168.0.2 and port 3306
# Print packet summary for all packets in file
$ tcpdump -qns 0 -r $(pwd)/my.pcap
2. wireshark
Wireshark documentation:
- https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html
# Open file with wireshark
$ wireshark $(pwd)/my.pcap
Filters in wireshark:
# Packets with SYN flag set to ON, but ACK flag set to OFF
tcp.flags.syn==1 && tcp.flags.ack==0
# Show communication on TCP connection with index 3
tcp.stream eq 3