Tcpdump

Basic Commands

  • Capture packets on a specific interface:

    tcpdump -i eth0

  • Capture only a specific number of packets:

    tcpdump -c 10

  • Write capture to a file:

    tcpdump -w capture.pcap

  • Read packets from a file:

    tcpdump -r capture.pcap

Filtering Options

  • Filter by host:

    tcpdump host 192.168.1.1

  • Filter by source IP:

    tcpdump src 192.168.1.1

  • Filter by destination IP:

    tcpdump dst 192.168.1.1

  • Filter by port:

    tcpdump port 80

  • Filter by source port:

    tcpdump src port 80

  • Filter by destination port:

    tcpdump dst port 80

  • Filter by protocol:

    tcpdump tcp
tcpdump udp

Advanced Filtering

  • Capture only TCP packets with a specific flag:

    tcpdump 'tcp[tcpflags] & tcp-syn != 0'

  • Capture packets larger than a specific size:

    tcpdump 'greater 1024'

  • Capture packets with a specific string in the payload:

    tcpdump -A | grep 'string'

Display Options

  • Verbose output:

    tcpdump -v

  • More verbose output:

    tcpdump -vv

  • Most verbose output:

    tcpdump -vvv

  • Print in ASCII:

    tcpdump -A

  • Print in HEX and ASCII:

    tcpdump -X

Time Options

  • Capture packets for a specific duration:

    tcpdump -G 60 -w capture-%Y-%m-%d_%H-%M-%S.pcap

  • Add timestamp to output:

    tcpdump -tttt

Extracting Files (Images, Videos, Docs)

  1. Capture packets and save to a file:

    tcpdump -i eth0 -w capture.pcap

  2. Use tcpflow to reconstruct the TCP stream:

    tcpflow -r capture.pcap

    This will create files in the format of 192.168.1.1.00080-192.168.1.2.12345 representing the data flow between these IPs and ports.

  3. Identify and extract files:

    • Images: Identify JPEG, PNG, or other image file signatures (e.g., JPEG starts with \xff\xd8 and ends with \xff\xd9).

      grep -a -o -b --binary-files=text -E "\xff\xd8|\xff\xd9" 192.168.1.1.00080-192.168.1.2.12345

    • Videos: Look for video file signatures (e.g., MP4 files start with ftyp).

      grep -a -o -b --binary-files=text -E "ftyp" 192.168.1.1.00080-192.168.1.2.12345

    • Documents: Identify document file signatures (e.g., PDF files start with %PDF).

      grep -a -o -b --binary-files=text -E "%PDF" 192.168.1.1.00080-192.168.1.2.12345

  4. Reassemble files: Use a hex editor like xxd or bless to cut the identified bytes and save them as separate files. For example, to extract a JPEG image:

    xxd -r -p <start_byte>-<end_byte> 192.168.1.1.00080-192.168.1.2.12345 > image.jpg

  5. Verify and open the extracted files: Open the extracted files using appropriate viewers to verify their integrity.

Additional Tools

  • Scapy: Python library to read, write, and manipulate pcap files.

    from scapy.all import *

packets = rdpcap('capture.pcap')
for packet in packets:
    if Raw in packet:
        data = packet[Raw].load
        # Further processing to identify and extract files

  • Wireshark: GUI-based tool to analyze pcap files and extract objects directly.

    • Open the pcap file in Wireshark.

    • Go to File -> Export Objects -> HTTP (or other relevant protocol).

By using these commands and techniques, you can effectively utilize tcpdump for network analysis and extract various types of files from captured network traffic.

PreviousNmapNextCloud Tools

Last updated

Was this helpful?