% wireshark, tshark, tcpdump, packets, network-analysis # Wireshark - open GUI wireshark # Wireshark - open specific file wireshark # tshark - capture on interface sudo tshark -i # tshark - capture to file sudo tshark -i -w # tshark - read pcap file tshark -r # tshark - filter by IP tshark -r -Y "ip.addr == " # tshark - filter by port tshark -r -Y "tcp.port == " # tshark - HTTP traffic only tshark -r -Y "http" # tshark - DNS traffic only tshark -r -Y "dns" # tshark - follow TCP stream tshark -r -z follow,tcp,ascii, # tshark - extract HTTP objects tshark -r --export-objects http, # tshark - show conversations tshark -r -z conv,tcp # tshark - protocol hierarchy tshark -r -z io,phs # tshark - credentials (basic) tshark -r -Y "http.authorization or ftp.request.command == USER or ftp.request.command == PASS" # tcpdump - capture on interface sudo tcpdump -i # tcpdump - capture to file sudo tcpdump -i -w # tcpdump - read pcap tcpdump -r # tcpdump - filter by host sudo tcpdump -i host # tcpdump - filter by port sudo tcpdump -i port # tcpdump - filter by network sudo tcpdump -i net # tcpdump - verbose with hex sudo tcpdump -i -XX -vv # tcpdump - no DNS resolution sudo tcpdump -i -n # Common Wireshark display filters: # ip.addr == 192.168.1.1 # tcp.port == 443 # http.request.method == "POST" # dns.qry.name contains "evil" # tcp.flags.syn == 1 and tcp.flags.ack == 0 # frame contains "password" # ssl.handshake.type == 1 # Extract files from pcap with binwalk binwalk -e # NetworkMiner (GUI) - extract artifacts networkminer # Zeek - generate logs from pcap zeek -r $ interface: ip link show | grep -E "^[0-9]" | cut -d: -f2 | tr -d ' ' | grep -v lo $ pcap_file: find . -name "*.pcap" -o -name "*.pcapng" 2>/dev/null $ output_pcap: echo "capture.pcap" $ ip: echo "" $ port: echo "80\n443\n22\n21\n53" $ network_cidr: echo "192.168.1.0/24" $ stream_number: echo "0" $ output_dir: echo "extracted"