Sakib37/tcpdump

## tcpdump
Source: https://opensource.com/article/18/10/introduction-tcpdump
# Install tcpdump
    sudo apt install -y tcpdump

# Check available interfaces
    sudo tcpdump -D

# Capture packets for all interfaces
    sudo tcpdump -i any
    sudo tcpdump -i eth0

# Capture IPv6 traffic
    sudo tcpdump -nn ip6

# Limit number of packets to be captured
    sudo tcpdump -i any -c 5

# Disable name resolution by using the option -n and port resolution with -nn
    sudo tcpdump -i any -c5 -nn

# Limit capture to only packets related to a specific host by using the host filter
    sudo tcpdump -i any -c5 -nn host 54.204.39.132

# To filter packets based on protocol, specifying the protocol in the command line
    sudo tcpdump -i any -c5 icmp

# To filter packets based on the desired service or port, use the port filter
    sudo tcpdump -i any -c5 -nn port 80

# Filter packets based on the source or destination IP Address or hostname
    sudo tcpdump -i any -c5 -nn src 192.168.122.98
    sudo tcpdump -i any -c5 -nn dst 192.168.122.98

# You can also combine filters by using the logical operators and and or to create more complex expressions
    sudo tcpdump -i any -c5 -nn src 192.168.122.98 and port 80

# You can create more complex expressions by grouping filter with parentheses. In this case, enclose the entire filter
  expression with quotation marks to prevent the shell from confusing them with shell expressions
    sudo tcpdump -i any -c5 -nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)"

# To see the packet content, tcpdump provides two additional flags: -X to print content in hex, and ASCII or -A to print
  the content in ASCII. To see the http content of a web request
    sudo tcpdump -i any -c10 -nn -A port 80

# To save packets to a file instead of displaying them on screen, use the option -w
    sudo tcpdump -i any -c10 -nn -w webserver.pcap port 80

# Tcpdump creates a file in binary format so you cannot simply open it with a text editor. To read the contents of the
  file, execute tcpdump with the -r option
    tcpdump -nn -r webserver.pcap


source: https://hackertarget.com/tcpdump-examples/
# Extract HTTP Request URL's
    sudo tcpdump -i any -Avnl | egrep -i "POST /|GET /|Host:"

# Extract HTTP Passwords in POST Requests
    sudo tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

# Capture all plaintext passwords
    sudo tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | \
        egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '
	Source: https://opensource.com/article/18/10/introduction-tcpdump
	# Install tcpdump
	sudo apt install -y tcpdump

	# Check available interfaces
	sudo tcpdump -D

	# Capture packets for all interfaces
	sudo tcpdump -i any
	sudo tcpdump -i eth0

	# Capture IPv6 traffic
	sudo tcpdump -nn ip6

	# Limit number of packets to be captured
	sudo tcpdump -i any -c 5

	# Disable name resolution by using the option -n and port resolution with -nn
	sudo tcpdump -i any -c5 -nn

	# Limit capture to only packets related to a specific host by using the host filter
	sudo tcpdump -i any -c5 -nn host 54.204.39.132

	# To filter packets based on protocol, specifying the protocol in the command line
	sudo tcpdump -i any -c5 icmp

	# To filter packets based on the desired service or port, use the port filter
	sudo tcpdump -i any -c5 -nn port 80

	# Filter packets based on the source or destination IP Address or hostname
	sudo tcpdump -i any -c5 -nn src 192.168.122.98
	sudo tcpdump -i any -c5 -nn dst 192.168.122.98

	# You can also combine filters by using the logical operators and and or to create more complex expressions
	sudo tcpdump -i any -c5 -nn src 192.168.122.98 and port 80

	# You can create more complex expressions by grouping filter with parentheses. In this case, enclose the entire filter
	expression with quotation marks to prevent the shell from confusing them with shell expressions
	sudo tcpdump -i any -c5 -nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)"

	# To see the packet content, tcpdump provides two additional flags: -X to print content in hex, and ASCII or -A to print
	the content in ASCII. To see the http content of a web request
	sudo tcpdump -i any -c10 -nn -A port 80

	# To save packets to a file instead of displaying them on screen, use the option -w
	sudo tcpdump -i any -c10 -nn -w webserver.pcap port 80

	# Tcpdump creates a file in binary format so you cannot simply open it with a text editor. To read the contents of the
	file, execute tcpdump with the -r option
	tcpdump -nn -r webserver.pcap


	source: https://hackertarget.com/tcpdump-examples/
	# Extract HTTP Request URL's
	sudo tcpdump -i any -Avnl \| egrep -i "POST /\|GET /\|Host:"

	# Extract HTTP Passwords in POST Requests
	sudo tcpdump -s 0 -A -n -l \| egrep -i "POST /\|pwd=\|passwd=\|password=\|Host:"

	# Capture all plaintext passwords
	sudo tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A \| \
	egrep -i -B5 'pass=\|pwd=\|log=\|login=\|user=\|username=\|pw=\|passw=\|passwd=\|password=\|pass:\|user:\|username:\|password:\|login:\|pass \|user '