Skip to content

Instantly share code, notes, and snippets.

@huyanhvn
Last active August 29, 2015 14:23
Show Gist options
  • Save huyanhvn/e724140ee94d0e2714b2 to your computer and use it in GitHub Desktop.
Save huyanhvn/e724140ee94d0e2714b2 to your computer and use it in GitHub Desktop.
tcpdump
# tcpdump -i eth0 -A -s65535 port 8080
intecepts all packets goving over port 8080 on eth0 network interface.
-s means size of each packet. so it dumps first 65k of the packet. default is much short and will truncate long http responses.
-A means show packets as ascii on screen
-w filename
for non plain text protocol (e.g. LDAP), write to file and use wireshark.
https://danielmiessler.com/study/tcpdump/
# wireshark
https://www.wireshark.org/tools/string-cf.html
this lets you do
tcpdump -A -s 400 'port 13400 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 or (tcp[((tcp[12:1] & 0xf0) >> 2):2] = 0x4745 && tcp[((tcp[12:1] & 0xf0) >> 2) + 2:1] = 0x54))'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment