Packet Captures

Various Pcap files for studies are as follows:

=PCAP files= Common packet captures files used across the site and for studies are below:

Misc Captures
=Filtering Packets= Information related to Packet filtering is as follows:

Filtering a Cap File
dumpcap -i eth0 -f "host 208.67.220.220 and udp port 53" -w /tmp/dns.cap -b duration:3600 -b files:25

TCPDump Filters
Source: [thegeekstuff.com]

tcpdump -s 0 -i eth0 host 10.1.1.1 -v -w /tmp/packet_capture.cap
 * General TCPDump command:

Command Line Options
-A 		Print frame payload in ASCII -c 	Exit after capturing count packets -D 		List available interfaces -e 		Print link-level headers -F 	Use file as the filter expression -G  	Rotate the dump file every n seconds -i 	Specifies the capture interface -K 		Don't verify TCP checksums -L 		List data link types for the interface -n 		Don't convert addresses to names -p 		Don't capture in promiscuous mode -q 		Quick output -r 	Read packets from file -s 	Capture up to len bytes per packet -S 		Print absolute TCP sequence numbers -t 		Don't print timestamps -v[v[v]] 	Print more verbose output -w 	Write captured packets to file -x 		Print frame payload in hex -X 		Print frame payload in hex and ASCII -y 	Specify the data link type

Advanced Packet Filtering
((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb

find. -type f | egrep "All.pcap" for i in `find. -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb' ; echo -e "\n"; done for i in `find. -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb2' ; echo -e "\n"; done | grep 'error|unknown|denied' for i in `find. -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)' for i in `find. -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)' > errors.txt & for i in `find. -type f | egrep "All.pcap"`; do echo $i; tshark -t a -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb2' ; echo -e "\n"; done for i in `find. -type f | egrep "All.pcap"`; do echo $i; tshark -t ad -r $i '((ip.addr==192.168.80.80 or ip.addr==10.1.1.56) and ip.addr==192.168.30.20) and smb2' ; echo -e "\n"; done > smb-time.txt

for i in `find. -type f | egrep ".txt"`; do echo $i; cat $i ; echo -e "\n"; done | grep smb2.lock

for i in `find. -type f | egrep "All.pcap"`; do echo $i; tcpdump -r $i '((host 192.168.80.80 or host 10.1.1.56) and host 192.168.30.20) and port 445' ; echo -e "\n"; done

= Misc =


 * In IE, disable HTTP1.1 in Advanced options to see the traffic being sent in HTTP1.0 version. Now you will be able to see traffic in Clear text in wireshark captures. HTTP1.1 uses gzip to compress html, so it is not read in clear text. You will find multiple connections for a single webpage.


 * In Wireshark, anyting you see in square brackets - [bla bla] is the wireshar analysis of the information & is not the part of the packet captured.

Non-Root Capture in Ubuntu
sudo apt-get install libcap2-bin sudo groupadd wireshark sudo usermod -a -G wireshark kirat newgrp wireshark sudo chgrp wireshark /usr/bin/dumpcap sudo chmod 750 /usr/bin/dumpcap sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

Verification: getcap /usr/bin/dumpcap    =>   /usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

If still unable to capture: sudo dpkg-reconfigure wireshark-common sudo chmod +x /usr/bin/dumpcap

Tshark
apt-get install tshark tshark -r lotsapackets.cap -R dns -w dns.cap tshark -r lotsapackets.cap -R "dns or tcp.port==80" -w web.cap capinfos web.cap editcap -c 50000 lotsapackets.cap fewerpackets.cap