Skip to content

Instantly share code, notes, and snippets.

@Sakib37
Created March 8, 2020 11:12
Show Gist options
  • Save Sakib37/0284660da0f8e0c2be6ed14eef9e66e2 to your computer and use it in GitHub Desktop.
Save Sakib37/0284660da0f8e0c2be6ed14eef9e66e2 to your computer and use it in GitHub Desktop.
Helpful command for tcpdump
Source: https://opensource.com/article/18/10/introduction-tcpdump
# Install tcpdump
sudo apt install -y tcpdump
# Check available interfaces
sudo tcpdump -D
# Capture packets for all interfaces
sudo tcpdump -i any
sudo tcpdump -i eth0
# Capture IPv6 traffic
sudo tcpdump -nn ip6
# Limit number of packets to be captured
sudo tcpdump -i any -c 5
# Disable name resolution by using the option -n and port resolution with -nn
sudo tcpdump -i any -c5 -nn
# Limit capture to only packets related to a specific host by using the host filter
sudo tcpdump -i any -c5 -nn host 54.204.39.132
# To filter packets based on protocol, specifying the protocol in the command line
sudo tcpdump -i any -c5 icmp
# To filter packets based on the desired service or port, use the port filter
sudo tcpdump -i any -c5 -nn port 80
# Filter packets based on the source or destination IP Address or hostname
sudo tcpdump -i any -c5 -nn src 192.168.122.98
sudo tcpdump -i any -c5 -nn dst 192.168.122.98
# You can also combine filters by using the logical operators and and or to create more complex expressions
sudo tcpdump -i any -c5 -nn src 192.168.122.98 and port 80
# You can create more complex expressions by grouping filter with parentheses. In this case, enclose the entire filter
expression with quotation marks to prevent the shell from confusing them with shell expressions
sudo tcpdump -i any -c5 -nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)"
# To see the packet content, tcpdump provides two additional flags: -X to print content in hex, and ASCII or -A to print
the content in ASCII. To see the http content of a web request
sudo tcpdump -i any -c10 -nn -A port 80
# To save packets to a file instead of displaying them on screen, use the option -w
sudo tcpdump -i any -c10 -nn -w webserver.pcap port 80
# Tcpdump creates a file in binary format so you cannot simply open it with a text editor. To read the contents of the
file, execute tcpdump with the -r option
tcpdump -nn -r webserver.pcap
source: https://hackertarget.com/tcpdump-examples/
# Extract HTTP Request URL's
sudo tcpdump -i any -Avnl | egrep -i "POST /|GET /|Host:"
# Extract HTTP Passwords in POST Requests
sudo tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"
# Capture all plaintext passwords
sudo tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | \
egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment