Tcpdump

Basic Commands

Capture packets on a specific interface:
```
tcpdump -i eth0
```
Capture only a specific number of packets:
```
tcpdump -c 10
```
Write capture to a file:
```
tcpdump -w capture.pcap
```
Read packets from a file:
```
tcpdump -r capture.pcap
```

Filtering Options

Filter by host:
```
tcpdump host 192.168.1.1
```
Filter by source IP:
```
tcpdump src 192.168.1.1
```
Filter by destination IP:
```
tcpdump dst 192.168.1.1
```
Filter by port:
```
tcpdump port 80
```
Filter by source port:
```
tcpdump src port 80
```
Filter by destination port:
```
tcpdump dst port 80
```
Filter by protocol:
```
tcpdump tcp
tcpdump udp
```

Advanced Filtering

Capture only TCP packets with a specific flag:
```
tcpdump 'tcp[tcpflags] & tcp-syn != 0'
```
Capture packets larger than a specific size:
```
tcpdump 'greater 1024'
```
Capture packets with a specific string in the payload:
```
tcpdump -A | grep 'string'
```

Display Options

Verbose output:
```
tcpdump -v
```
More verbose output:
```
tcpdump -vv
```
Most verbose output:
```
tcpdump -vvv
```
Print in ASCII:
```
tcpdump -A
```
Print in HEX and ASCII:
```
tcpdump -X
```

Time Options

Capture packets for a specific duration:

tcpdump -G 60 -w capture-%Y-%m-%d_%H-%M-%S.pcap

Add timestamp to output:
```
tcpdump -tttt
```

Extracting Files (Images, Videos, Docs)

Capture packets and save to a file:
```
tcpdump -i eth0 -w capture.pcap
```
Use tcpflow to reconstruct the TCP stream:
```
tcpflow -r capture.pcap
```
This will create files in the format of 192.168.1.1.00080-192.168.1.2.12345 representing the data flow between these IPs and ports.
Identify and extract files:
- Images: Identify JPEG, PNG, or other image file signatures (e.g., JPEG starts with \xff\xd8 and ends with \xff\xd9).
  grep -a -o -b --binary-files=text -E "\xff\xd8|\xff\xd9" 192.168.1.1.00080-192.168.1.2.12345
- Videos: Look for video file signatures (e.g., MP4 files start with ftyp).
  grep -a -o -b --binary-files=text -E "ftyp" 192.168.1.1.00080-192.168.1.2.12345
- Documents: Identify document file signatures (e.g., PDF files start with %PDF).
  grep -a -o -b --binary-files=text -E "%PDF" 192.168.1.1.00080-192.168.1.2.12345
Reassemble files: Use a hex editor like xxd or bless to cut the identified bytes and save them as separate files. For example, to extract a JPEG image:
```
xxd -r -p <start_byte>-<end_byte> 192.168.1.1.00080-192.168.1.2.12345 > image.jpg
```
Verify and open the extracted files: Open the extracted files using appropriate viewers to verify their integrity.

Additional Tools

Scapy: Python library to read, write, and manipulate pcap files.

from scapy.all import *

packets = rdpcap('capture.pcap')
for packet in packets:
    if Raw in packet:
        data = packet[Raw].load
        # Further processing to identify and extract files

Wireshark: GUI-based tool to analyze pcap files and extract objects directly.
- Open the pcap file in Wireshark.
- Go to File -> Export Objects -> HTTP (or other relevant protocol).

By using these commands and techniques, you can effectively utilize tcpdump for network analysis and extract various types of files from captured network traffic.

PreviousNmap NextCloud Tools

Last updated 1 year ago

Was this helpful?