huyanhvn/tcpdump

## tcpdump
# tcpdump -i eth0 -A -s65535 port 8080
intecepts all packets goving over port 8080 on eth0  network interface.
-s means size of each packet. so it dumps first 65k of the packet. default is much short and will truncate long http responses.
-A means show packets as ascii on screen
-w filename

for non plain text protocol (e.g. LDAP), write to file and use wireshark.

https://danielmiessler.com/study/tcpdump/


# wireshark
https://www.wireshark.org/tools/string-cf.html
this lets you do
tcpdump -A -s 400 'port 13400 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 or (tcp[((tcp[12:1] & 0xf0) >> 2):2] = 0x4745 && tcp[((tcp[12:1] & 0xf0) >> 2) + 2:1] = 0x54))'
	# tcpdump -i eth0 -A -s65535 port 8080
	intecepts all packets goving over port 8080 on eth0 network interface.
	-s means size of each packet. so it dumps first 65k of the packet. default is much short and will truncate long http responses.
	-A means show packets as ascii on screen
	-w filename

	for non plain text protocol (e.g. LDAP), write to file and use wireshark.

	https://danielmiessler.com/study/tcpdump/


	# wireshark
	https://www.wireshark.org/tools/string-cf.html
	this lets you do
	tcpdump -A -s 400 'port 13400 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 or (tcp[((tcp[12:1] & 0xf0) >> 2):2] = 0x4745 && tcp[((tcp[12:1] & 0xf0) >> 2) + 2:1] = 0x54))'