wireshark and tcpdump

Network Traffic Analysis tcpdump

• capture all traffic: tcpdump -i <interface>

• capture traffic to and from specific host: tcpdump -i <interface> host 192.168.11.112

• capture incoming traffic from certain host: tcpdump -i <interface> src host 192.168.77.90

• capture outgoing traffic to certain host: tcpdump -i <interface> dst host 192.168.99.110

• capture and save to pcap: tcpdump -i <interface> -w capture.pcap

• capture specific port traffic: tcpdump -i <interface> port 80

• capture traffic from certain host to port 443 of compromised workstation: tcpdump -i <interface> src host 133.34.55.66 and dst host <our host> and dst port 443

• capture all traffic from certain destination: tcpdump dst 133.44.56.54

• capture traffic to and from network destination: tcpdump net 192.168.11.0/24

• capture traffic using port ranges: tcpdump portrange 1-1000

Wireshark filters

• specific ip: ip.addr == <ip>

• source ip: ip.src == <ip>

• destination ip: ip.dst == <ip>

• exclude ip: !(ip.addr == <ip>)

Wireshark tcp/udp/dns/http filters

• tcp only: tcp

• udp only: udp

• smb only: smb

• arp only: arp

• syn packets: tcp.flags.syn == 1 && tcp.flags.ack == 0 ## tcp syn scan

• syn-ack: tcp.flags.syn == 1 && tcp.flags.ack == 1

• RST: tcp.flags.reset == 1

• FIN: tcp.flags.fin == 1

• UDP only: udp

• udp port: udp.port == 53

• DNS traffic: dns

• DNS queries: dns.flags.response == 0

• DNS responses: dns.flags.response == 1

• NXDOMAIN: dns.flags.rcode == 3

• TXT Records: dns.qry.type == 16

• HTTP only: http

• GET requests: http.request.method == "GET"

• POST requests: http.request.method == "POST"

• HTTP 401: http.response.code == 401

• HTTP 500: http.response.code == 500

Wireshark credential hunting

frame contains "user"
frame contains "pass"
frame contains "login"
frame contains "admin"

Stream reconstruction

Right click packet -> Follow -> TCP Stream/HTTP Stream/UDP Stream