Tancredi-Paul Grozav

Work In Progress

1. tcpdump

The tcpdump tool allows you to sniff network packets being sent across interfaces, even if they don’t use the TCP protocol.

You can see the details of each packet with the wireshark tool, by opening a package capture file (.pcap) in wireshark, by piping tcpdump’s output directly into wireshark, or by capturing the packets live, with wireshark, directly.

Here is the manual page of tcpdump: https://www.tcpdump.org/manpages/tcpdump.1.html .

Example commands:

                # This will ssh into a remote server, start there tcpdump as root(using sudo),
# then it will output everything to stdout, which is piped into a local
# wireshark instance, for viewing it in a nice GUI.
echo password | SSHPASS=password sshpass -e ssh -o StrictHostKeyChecking=no \
  user@server sudo -S tcpdump -i any -U -s0 -w - 'not port 22' |
  sudo wireshark -k -i -

# Filter by host (both source or destination) and port
$ tcpdump host 192.168.0.2 and port 3306

# Capture and save to a file
$ tcpdump -w $(pwd)/my.pcap -U host 192.168.0.2 and port 3306

# Capture just 1 packet, and print the packet contents, not just the headers
$ tcpdump -c 1 -vvv -A host 192.168.0.2 and port 3306

# Print packet summary for all packets in file
$ tcpdump -qns 0 -r $(pwd)/my.pcap

              

2. wireshark

Wireshark documentation:

https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html

                # Open file with wireshark
$ wireshark $(pwd)/my.pcap

Filters in wireshark:

# Packets with SYN flag set to ON, but ACK flag set to OFF
tcp.flags.syn==1 && tcp.flags.ack==0

# Show communication on TCP connection with index 3
tcp.stream eq 3