Packet Captures

Various Pcap files for studies are as follows:

=PCAP files= Common packet captures files used across the site and for studies are below:

Misc Captures
=Filtering Packets= Information related to Packet filtering is as follows:

Filtering a Cap File
dumpcap -i eth0 -f "host 208.67.220.220 and udp port 53" -w /tmp/dns.cap -b duration:3600 -b files:25

Wireshark Common Filters
Sets a filter for any packet with 10.0.0.1, as either the source or dest ip.addr == 10.0.0.1

Sets a conversation filter between the two defined IP addresses: ip.addr==10.0.0.1 && ip.addr==10.0.0.2

Sets a filter to display all http and dns: http or dns

Sets a filter for any TCP packet with 4000 as a source or dest port: tcp.port==4000

Displays all TCP resets: tcp.flags.reset==1

Displays all HTTP GET requests: http.request

Displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID: tcp contains traffic

Masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest: !(arp or icmp or dns)

Sets a filter for the HEX values of 0x33 0x27 0x58 at any offset: udp contains 33:27:58

Displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss: tcp.analysis.retransmission

Fragmented Traffic: ip.flags.mf == 1 or ip.frag_offset > 0

ICMP Fragmentation needed packets: icmp.type==3 and icmp.code==4

Combination of above two: ip[0,9,20:2]==4501:0304||ip[6:2]&3fff

Starting and Ending sessions: tcp.flags&7 or (tcp.seq==1 and tcp.ack==1 and !tcp.window_size_scalefactor==-1 and tcp.len==0)

TCPDump Filters
Source: [thegeekstuff.com]

Protocols
arp			ether icmp			ip ip6			ppp rarp			tcp udp			wlan

TCP Flags
tcp-urg			tcp-rst tcp-ack			tcp-syn tcp-psh			tcp-fin

Capture Filter Primitives
[src|dst] host 				Matches a host as the IP source, destination, or either ether [src|dst] host 			Matches a host as the Ethernet source, destination, or either gateway host 				Matches packets which used host as a gateway [src|dst] net / 			Matches packets to or from an endpoint residing in network [tcp|udp] [src|dst] port 		Matches TCP or UDP packets sent to/from port [tcp|udp] [src|dst] portrange - 	Matches TCP or UDP packets to/from a port in the given range less 					Matches packets less than or equal to length greater 				Matches packets greater than or equal to length (ether|ip|ip6) proto 		Matches an Ethernet, IPv4, or IPv6 protocol (ether|ip) broadcast 				Matches Ethernet or IPv4 broadcasts (ether|ip|ip6) multicast 			Matches Ethernet, IPv4, or IPv6 multicasts type (mgt|ctl|data) [subtype ] 	Matches 802.11 frames based on type and optional subtype vlan [ ] 					Matches 802.1Q frames, optionally with a VLAN ID of vlan mpls [ ] 					Matches MPLS packets, optionally with a label of label Matches packets by an arbitrary expression

Command Line Options
-A 		Print frame payload in ASCII -c 	Exit after capturing count packets -D 		List available interfaces -e 		Print link-level headers -F 	Use file as the filter expression -G  	Rotate the dump file every n seconds -i 	Specifies the capture interface -K 		Don't verify TCP checksums -L 		List data link types for the interface -n 		Don't convert addresses to names -p 		Don't capture in promiscuous mode -q 		Quick output -r 	Read packets from file -s 	Capture up to len bytes per packet -S 		Print absolute TCP sequence numbers -t 		Don't print timestamps -v[v[v]] 	Print more verbose output -w 	Write captured packets to file -x 		Print frame payload in hex -X 		Print frame payload in hex and ASCII -y 	Specify the data link type

= Misc =


 * In IE, disable HTTP1.1 in Advanced options to see the traffic being sent in HTTP1.0 version. Now you will be able to see traffic in Clear text in wireshark captures. HTTP1.1 uses gzip to compress html, so it is not read in clear text. You will find multiple connections for a single webpage.


 * In Wireshark, anyting you see in square brackets - [bla bla] is the wireshar analysis of the information & is not the part of the packet captured.