The all knowing TCPdump page with examples

I would really like this page to be a place where I and others can grab tcpdump syntax that we’ve forgotten over time and didn’t want to find the exact google query we used previously to find the syntax we needed.

You can do tcpdump on any interface and look for network subnets or hosts. ex

tcpdump -nni eth2 net 8.8.8.0/8 or net 1.1.1.0/8

For finding CDP packets.

tcpdump -nni -v eth0 -s 1500 -c 1 'ether[20:2] == 0x2000' 

juniper LLDP

tcpdump -nn -v -i eth0 -s 1500 -c 1 '(ether[12:2]=0x88cc or ether[20:2]=0x2000)'

For finding narrowing down packets in or out of an interface. Use -Q or -P depending on tcpdump version.

tcpdump -nni eth0 -P out ether src 84:b8:02:f2:26:d0

adding onto the last pcap you can also easily check for TCP flags for finding RST only packets.

tcpdump -nni eth0 -P out ether src 84:b8:02:f2:26:d0 -v 'tcp[tcpflags] & (tcp-rst) !=0'

adding on further.  Looking for packets not flagged as PSH and ACK with not source mac coming out of an interface, saving it to a file and then only capturing 100 packets.

tcpdump -nni eth0 -P out src port 443 and "tcp[tcpflags] & (tcp-push|tcp-ack) != 0" and not ether src 84:b8:02:f2:26:d0 -w testing.pcap -v -c 100

This one is giving us layer 2 info. No tcp SYN set and only 100 packets.

tcpdump -enni eth0 -c 100 "tcp[tcpflags] & (tcp-syn) != 0"

If you are spanning a port and want to quickly know the MAC of the Switch, this should give you src mac.

tcpdump -enni eth0 -c 1 "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0" | cut -d" " -f2

This should get you the upstream devices MAC in the above situation.

tcpdump -enni eth0 -c 1 "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0" | cut -d" " -f4 | cut -d"," -f1

If you want to get a bit fancier and have access to linux binaries. This will ensure that you get a better idea by averaging more packets as part of the analysis.

tcpdump -enni eth0 -Q in -c 20 "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0" 2>&1 | grep "ethertype" | cut -d" " -f2 | sort -n | uniq -c | sort -n -r -k1 | head -n 1 |cut -d" " -f7

Same with the upstream device mac.

tcpdump -enni eth0 -Q in -c 20 "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0" 2>&1 | grep "ethertype" | cut -d" " -f4 | cut -d"," -f1 | sort -n | uniq -c | sort -n -r -k1 | head -n 1 |cut -d" " -f7

 

And to steal some great examples from https://hackertarget.com/tcpdump-examples/

tcpdump -nn -A -s1500 -l | grep "User-Agent:"
 tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'

 

HTTP GET request and HTTP POST

tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

And an explanation on how this capture filter works.

“The hexadecimal being matched in these expressions matches the ascii for GET and POST.

As an explanation tcp[((tcp[12:1] & 0xf0) >> 2):4] first determines the location of the bytes we are interested in (after the TCP header) and then selects the 4 bytes we wish to match against.”

tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

tcpdump: listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
	POST /wp-login.php HTTP/1.1
	Host: dev.example.com
	GET /wp-login.php HTTP/1.1
	Host: dev.example.com
	GET /favicon.ico HTTP/1.1
	Host: dev.example.com
	GET / HTTP/1.1
	Host: dev.example.com

 

HTTP PASSWORDS in POST requests

tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:25:54.799014 IP 10.10.1.30.39224 > 10.10.1.125.80: Flags [P.], seq 1458768667:1458770008, ack 2440130792, win 704, options [nop,nop,TS val 461552632 ecr 208900561], length 1341: HTTP: POST /wp-login.php HTTP/1.1
.....s..POST /wp-login.php HTTP/1.1

 

 

 

 

Manjaro error: failed to commit transaction (conflicting files)

Just a few months ago I continued my linux distro discovery tour (and I may never leave this distro). The next stop was Manjaro linux. I knew Manjaro was going to be a difficult change due to having a very different approach to their package management system. And it was that same system that leads me to write this simple blog post today. I ran into a tedious error that I spend way too long trying to figure out.

I enjoy having the ability to install kali linux tools or the like on a computer. So it was a pleasant surprise to learn about the guys over at black arch and the ability to easily integrate into manjaro.

Once integrated I had read about a tool that sounded interesting. The tool wifiphisher was now at my disposable, or so I thought.

I ran into a bit of a dependency hell with getting about 100 of these


error: failed to commit transaction (conflicting files)
python2-pyasn1: /usr/lib/python2.7/site-packages/pyasn1/__init__.py exists in filesystem
python2-pyasn1: /usr/lib/python2.7/site-packages/pyasn1/__init__.pyc exists in filesystem
python2-pyasn1: /usr/lib/python2.7/site-packages/pyasn1/codec/__init__.py exists in filesystem

After several links of google I ended up trying to use pacman -Sf but it appears this was an old article and the -f flag has now been deprecated. I found myself a bit defeated but I did manage to find the answer after a good hard look at the man page.

–force

This seemed to be the flag I was looking for, and after I added that to the end of my string I was well on my way to practicing some wifi phishing.

sudo pacman -S wifiphisher --force

I wanted to write this article because I did not find anything directly related to what I was looking for.