# Packet Capturing - Cheatsheet # Wireshark ## Filter where the source ip is not 192.168.1.1 ``` ip.src != 192.168.1.1 ``` ## Filter where the destination ip is not 192.168.1.1 ``` ip.dst != 192.168.1.1 ``` ## Find packets with a string in them ``` frame contains ``` For example: ``` frame contains google ``` Resource: [https://www.cellstream.com/reference-reading/tipsandtricks/431-finding-text-strings-in-wireshark-captures](https://www.cellstream.com/reference-reading/tipsandtricks/431-finding-text-strings-in-wireshark-captures) ## Show hostnames Go to View -> Name Resolution -> Check the box next to Resolve Network Addresses Resource: [https://unix.stackexchange.com/questions/390852/how-to-filter-by-host-name-in-wireshark](https://unix.stackexchange.com/questions/390852/how-to-filter-by-host-name-in-wireshark) ## Filter TLS traffic ``` ssl.record.version ``` If you want to only show TLS v1.2 traffic, then you would run: ``` ssl.record.version == 0x0303 ``` ## Versions: 0x0300 SSL 3.0 0x0301 TLS 1.0 0x0302 TLS 1.1 0x0303 TLS 1.2 Resource: [https://security.stackexchange.com/questions/190532/filter-tls-in-wireshark-or-other-monitoring-tool](https://security.stackexchange.com/questions/190532/filter-tls-in-wireshark-or-other-monitoring-tool) # TCPDump ## Filter on port 80 ``` tcpdump port 80 ``` ## Filter on source port 80 ``` tcpdump src port 80 ``` ### Destination port 80 ``` tcpdump dest port 80 ``` ## All traffic for 192.168.1.1 ``` tcpdump host 192.168.1.1 ``` ## Save output ``` tcpdump tcp -w output.pcap ``` Resource: [https://medium.com/swlh/introduction-to-tcpdump-635653f56177](https://medium.com/swlh/introduction-to-tcpdump-635653f56177) ## Filter on service In this case, we are filtering icmp traffic on the eth0 interface where the ICMP type field value is icmp-echo. We finish it with a full protocol decode (-vv) aka verbose output. ``` tcpdump -i eth0 icmp and icmp[icmptype]=icmp-echo -vv ``` Resources: [http://alumni.cs.ucr.edu/~marios/ethereal-tcpdump.pdf](http://alumni.cs.ucr.edu/~marios/ethereal-tcpdump.pdf) [http://www.networksorcery.com/enp/protocol/icmp/msg8.htm](http://www.networksorcery.com/enp/protocol/icmp/msg8.htm) ## Listen for traffic over port 389 ``` tcpdump -i eth0 -nn port 389 ``` Resource: [https://hackertarget.com/tcpdump-examples/](https://hackertarget.com/tcpdump-examples/)