Tcpdump

Basic Commands

• Capture packets on a specific interface:

  Copy

  tcpdump -i eth0

• Capture only a specific number of packets:

  Copy

  tcpdump -c 10

• Write capture to a file:

  Copy

  tcpdump -w capture.pcap

• Read packets from a file:

  Copy

  tcpdump -r capture.pcap

Filtering Options

• Filter by host:

  Copy

  tcpdump host 192.168.1.1

• Filter by source IP:

  Copy

  tcpdump src 192.168.1.1

• Filter by destination IP:

  Copy

  tcpdump dst 192.168.1.1

• Filter by port:

  Copy

  tcpdump port 80

• Filter by source port:

  Copy

  tcpdump src port 80

• Filter by destination port:

  Copy

  tcpdump dst port 80

• Filter by protocol:

  Copy

  tcpdump tcp
  tcpdump udp

Advanced Filtering

• Capture only TCP packets with a specific flag:

  Copy

  tcpdump 'tcp[tcpflags] & tcp-syn != 0'

• Capture packets larger than a specific size:

  Copy

  tcpdump 'greater 1024'

• Capture packets with a specific string in the payload:

  Copy

  tcpdump -A | grep 'string'

Display Options

• Verbose output:

  Copy

  tcpdump -v

• More verbose output:

  Copy

  tcpdump -vv

• Most verbose output:

  Copy

  tcpdump -vvv

• Print in ASCII:

  Copy

  tcpdump -A

• Print in HEX and ASCII:

  Copy

  tcpdump -X

Time Options

• Capture packets for a specific duration:

  Copy

  tcpdump -G 60 -w capture-%Y-%m-%d_%H-%M-%S.pcap

• Add timestamp to output:

  Copy

  tcpdump -tttt

Extracting Files (Images, Videos, Docs)

1. Capture packets and save to a file:

   Copy

   tcpdump -i eth0 -w capture.pcap

2. Use tcpflow to reconstruct the TCP stream:

   Copy

   tcpflow -r capture.pcap

   This will create files in the format of 192.168.1.1.00080-192.168.1.2.12345 representing the data flow between these IPs and ports.

3. Identify and extract files:

   • Images: Identify JPEG, PNG, or other image file signatures (e.g., JPEG starts with \xff\xd8 and ends with \xff\xd9).

     Copy

     grep -a -o -b --binary-files=text -E "\xff\xd8|\xff\xd9" 192.168.1.1.00080-192.168.1.2.12345

   • Videos: Look for video file signatures (e.g., MP4 files start with ftyp).

     Copy

     grep -a -o -b --binary-files=text -E "ftyp" 192.168.1.1.00080-192.168.1.2.12345

   • Documents: Identify document file signatures (e.g., PDF files start with %PDF).

     Copy

     grep -a -o -b --binary-files=text -E "%PDF" 192.168.1.1.00080-192.168.1.2.12345

4. Reassemble files: Use a hex editor like xxd or bless to cut the identified bytes and save them as separate files. For example, to extract a JPEG image:

   Copy

   xxd -r -p <start_byte>-<end_byte> 192.168.1.1.00080-192.168.1.2.12345 > image.jpg

5. Verify and open the extracted files: Open the extracted files using appropriate viewers to verify their integrity.

Additional Tools

• Scapy: Python library to read, write, and manipulate pcap files.

  Copy

  from scapy.all import *
  
  packets = rdpcap('capture.pcap')
  for packet in packets:
      if Raw in packet:
          data = packet[Raw].load
          # Further processing to identify and extract files

• Wireshark: GUI-based tool to analyze pcap files and extract objects directly.

  • Open the pcap file in Wireshark.

  • Go to File -> Export Objects -> HTTP (or other relevant protocol).

By using these commands and techniques, you can effectively utilize tcpdump for network analysis and extract various types of files from captured network traffic.