# Tcpdump ### Basic Commands * **Capture packets on a specific interface:** ```bash tcpdump -i eth0 ``` * **Capture only a specific number of packets:** ```bash tcpdump -c 10 ``` * **Write capture to a file:** ```bash tcpdump -w capture.pcap ``` * **Read packets from a file:** ```bash tcpdump -r capture.pcap ``` ### Filtering Options * **Filter by host:** ```bash tcpdump host 192.168.1.1 ``` * **Filter by source IP:** ```bash tcpdump src 192.168.1.1 ``` * **Filter by destination IP:** ```bash tcpdump dst 192.168.1.1 ``` * **Filter by port:** ```bash tcpdump port 80 ``` * **Filter by source port:** ```bash tcpdump src port 80 ``` * **Filter by destination port:** ```bash tcpdump dst port 80 ``` * **Filter by protocol:** ```bash tcpdump tcp tcpdump udp ``` ### Advanced Filtering * **Capture only TCP packets with a specific flag:** ```bash tcpdump 'tcp[tcpflags] & tcp-syn != 0' ``` * **Capture packets larger than a specific size:** ```bash tcpdump 'greater 1024' ``` * **Capture packets with a specific string in the payload:** ```bash tcpdump -A | grep 'string' ``` ### Display Options * **Verbose output:** ```bash tcpdump -v ``` * **More verbose output:** ```bash tcpdump -vv ``` * **Most verbose output:** ```bash tcpdump -vvv ``` * **Print in ASCII:** ```bash tcpdump -A ``` * **Print in HEX and ASCII:** ```bash tcpdump -X ``` ### Time Options * **Capture packets for a specific duration:** ```bash tcpdump -G 60 -w capture-%Y-%m-%d_%H-%M-%S.pcap ``` * **Add timestamp to output:** ```bash tcpdump -tttt ``` ### Extracting Files (Images, Videos, Docs) 1. **Capture packets and save to a file:** ```bash tcpdump -i eth0 -w capture.pcap ``` 2. **Use `tcpflow` to reconstruct the TCP stream:** ```bash tcpflow -r capture.pcap ``` This will create files in the format of `192.168.1.1.00080-192.168.1.2.12345` representing the data flow between these IPs and ports. 3. **Identify and extract files:** * **Images:** Identify JPEG, PNG, or other image file signatures (e.g., JPEG starts with `\xff\xd8` and ends with `\xff\xd9`). ```bash grep -a -o -b --binary-files=text -E "\xff\xd8|\xff\xd9" 192.168.1.1.00080-192.168.1.2.12345 ``` * **Videos:** Look for video file signatures (e.g., MP4 files start with `ftyp`). ```bash grep -a -o -b --binary-files=text -E "ftyp" 192.168.1.1.00080-192.168.1.2.12345 ``` * **Documents:** Identify document file signatures (e.g., PDF files start with `%PDF`). ```bash grep -a -o -b --binary-files=text -E "%PDF" 192.168.1.1.00080-192.168.1.2.12345 ``` 4. **Reassemble files:** Use a hex editor like `xxd` or `bless` to cut the identified bytes and save them as separate files. For example, to extract a JPEG image: ```bash xxd -r -p - 192.168.1.1.00080-192.168.1.2.12345 > image.jpg ``` 5. **Verify and open the extracted files:** Open the extracted files using appropriate viewers to verify their integrity. #### Additional Tools * **Scapy:** Python library to read, write, and manipulate pcap files. ```python from scapy.all import * packets = rdpcap('capture.pcap') for packet in packets: if Raw in packet: data = packet[Raw].load # Further processing to identify and extract files ``` * **Wireshark:** GUI-based tool to analyze pcap files and extract objects directly. * Open the pcap file in Wireshark. * Go to `File -> Export Objects -> HTTP` (or other relevant protocol). By using these commands and techniques, you can effectively utilize `tcpdump` for network analysis and extract various types of files from captured network traffic. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.hackerspot.net/cheatsheets/security-tools/tcpdump.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.