Packet Capture Notes

Wireshark

Filter where the source ip is not 192.168.1.1

ip.src != 192.168.1.1

Filter where the destination ip is not 192.168.1.1

ip.dst != 192.168.1.1

Find packets with a string in them

frame contains <thing to search>

For example:

frame contains google

Resource: https://www.cellstream.com/reference-reading/tipsandtricks/431-finding-text-strings-in-wireshark-captures

Show hostnames

Go to View -> Name Resolution -> Check the box next to Resolve Network Addresses

Resource: https://unix.stackexchange.com/questions/390852/how-to-filter-by-host-name-in-wireshark

Filter TLS traffic

ssl.record.version

If you want to only show TLS v1.2 traffic, then you would run:

ssl.record.version == 0x0303

Versions:

  • 0x0300 SSL 3.0
  • 0x0301 TLS 1.0
  • 0x0302 TLS 1.1
  • 0x0303 TLS 1.2

Resource: https://security.stackexchange.com/questions/190532/filter-tls-in-wireshark-or-other-monitoring-tool

TCPDump

Filter on port 80

tcpdump port 80

Filter on source port 80

tcpdump src port 80

Destination port 80

tcpdump dest port 80

All traffic for 192.168.1.1

tcpdump host 192.168.1.1

Save output

tcpdump tcp -w output.pcap

Resource:
https://medium.com/swlh/introduction-to-tcpdump-635653f56177

Filter on service

In this case, we are filtering icmp traffic on the eth0 interface where the ICMP type field value is icmp-echo. We finish it with a full protocol decode (-vv) aka verbose output.

tcpdump -i eth0 icmp and icmp[icmptype]=icmp-echo -vv

Resources:
http://alumni.cs.ucr.edu/~marios/ethereal-tcpdump.pdf
http://www.networksorcery.com/enp/protocol/icmp/msg8.htm

Listen for traffic over port 389

tcpdump -i eth0 -nn port 389

Resource: https://hackertarget.com/tcpdump-examples/