Packet Capture Notes

Wireshark

Filter where the source ip is not 192.168.1.1

ip.src != 192.168.1.1

Filter where the destination ip is not 192.168.1.1

ip.dst != 192.168.1.1

Find packets with a string in them

frame contains <thing to search>

For example:

frame contains google

Resource: https://www.cellstream.com/reference-reading/tipsandtricks/431-finding-text-strings-in-wireshark-captures

TCPDump

Filter on port 80

tcpdump port 80

Filter on source port 80

tcpdump src port 80

Destination port 80

tcpdump dest port 80

All traffic for 192.168.1.1

tcpdump host 192.168.1.1

Save output

tcpdump tcp -w output.pcap

Resource:
https://medium.com/swlh/introduction-to-tcpdump-635653f56177

Filter on service

In this case, we are filtering icmp traffic on the eth0 interface where the ICMP type field value is icmp-echo. We finish it with a full protocol decode (-vv) aka verbose output.

tcpdump -i eth0 icmp and icmp[icmptype]=icmp-echo -vv

Resources:
http://alumni.cs.ucr.edu/~marios/ethereal-tcpdump.pdf
http://www.networksorcery.com/enp/protocol/icmp/msg8.htm

Listen for traffic over port 389

tcpdump -i eth0 -nn port 389

Resource: https://hackertarget.com/tcpdump-examples/