|
|-
|[[Media:OSPF_LSA_types.cap|OSPF LSAs]] || ||[[OSPF]]
|-
|[[Media:OSPF_LSA_Route_Add_Delete.cap|OSPF LSA Route Add Delete]] || Add - #101; Delete - #130 ||[[OSPF]]
|-
|[[Media:Ospf over gre tunnel.cap|OSPF over GRE Tunnel]] || ||[[OSPF]]
|[[Media:Dhcp-auth.pcap|Dhcp-auth]] || || [[DNS#DHCP|DHCP]]
|}
== HTTP - HTTPS ==
{| class="wikitable"
|-
!Packet Type !! Description !! Page Link
|-
|[[Media:http.cap|HTTP]] || Sack Used ||[[HTTP]]
|-
|[[Media:SSL.cap|SSL]], [[Media:Key.zip|Key]] || Sack Used ||[[SSL]]
|}
== TCP/IP ==
{| class="wikitable"
|-
!Packet Type !! Description !! Page Link
|-
|[[Media:TCP SACK.cap|TCP SACK]] || SACK(frame #31), Timestamp, WSF ||[[TCP/IP#TCP_SACK|TCP/IP]]
|-
|[[Media:Tracert.pcap|Traceroute]] || || [[ICMP#Traceroute|Traceroute]]
|-
|[[Media:Path MTU discovery.cap|Path MTU]] ||Fragmentation Needed message in packet #6 || [[ICMP#Path_MTU_Discovery|Path MTU Discovery]]
|-
|[[Media:IPv6.pcap|IPv6]] || ||
|-
|[[Media:ICMP.pcap|ICMP]] || || [[ICMP]]
|}
== Misc Captures ==
|-
!Packet Type !! Description !! Page Link
|-
|[[Media:TCP SACK.cap|TCP SACK]] || SACK(frame #31), Timestamp ||[[TCP/IP#TCP_SACK|TCP/IP]]
|-
|[[Media:Smtp.pcap|Smtp]] || ||
|-
|[[Media:Portscan.pcap|Port Scan]] || ||
|-
|[[Media:Tracert.pcap|Traceroute]] || || [[ICMP#Traceroute|Traceroute]]
|-
|[[Media:Path MTU discovery.cap|Path MTU]] ||Fragmentation Needed message in packet #6 || [[ICMP#Path_MTU_Discovery|Path MTU Discovery]]
|-
|[[Media:http.cap|HTTP]] || Sack Used ||[[HTTP]]
|-
|[[Media:Nat.pcap|NAT]] ||Ping Packet with & without NAT ||
|[[Media:Hsrp-and-ospf-in-LAN.pcap|Hsrp-and-ospf-in-LAN]] || ||
|-
|[[Media:RADIUS2.cap|RADIUS2]] || Using Access-Challenge (EAP) ||
|-
|[[Media:SSHv2.cap|SSHv2]] || ||
|-
|[[Media:Bittorrent.pcap|Bittorrent]] || ||
|-
|[[Media:IPv6.pcap|IPv6]] || ||
|-
|[[Media:Vnc-sample.pcap|Vnc-sample]] || ||
<br />
=Filtering Packets=
Information related to Packet filtering is as follows:
<br />
==Filtering a Cap File==
dumpcap -i eth0 -f "host 208.67.220.220 and udp port 53" -w /tmp/dns.cap -b duration:3600 -b files:25
<br />
==Wireshark Common Filters==
Sets a filter for any packet with 10.0.0.1, as either the source or dest
ip.addr == 10.0.0.1
Sets a conversation filter between the two defined IP addresses:
ip.addr==10.0.0.1 && ip.addr==10.0.0.2
Sets a filter to display all http and dns:
http or dns
Sets a filter for any TCP packet with 4000 as a source or dest port:
tcp.port==4000
Displays all TCP resets:
tcp.flags.reset==1
Displays all HTTP GET requests:
http.request
Displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID:
tcp contains traffic
Masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest:
!(arp or icmp or dns)
Sets a filter for the HEX values of 0x33 0x27 0x58 at any offset:
udp contains 33:27:58
Displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss:
tcp.analysis.retransmission
Fragmented Traffic:
ip.flags.mf == 1 or ip.frag_offset > 0
ICMP Fragmentation needed packets:
icmp.type==3 and icmp.code==4
Combination of above two:
ip[0,9,20:2]==4501:0304||ip[6:2]&3fff
Starting and Ending sessions:
tcp.flags&7 or (tcp.seq==1 and tcp.ack==1 and !tcp.window_size_scalefactor==-1 and tcp.len==0)
<br />
== Wireshark Column Filters ==
TTL ip.ttl
Flags tcp.flags
SEQ tcp.seq
ACK tcp.ack
MSS tcp.options.mss_val
In-Flight tcp.analysis.bytes_in_flight
Payload tcp.len
Window tcp.window_size
Content-Length http.content_length_header
<br />
== TCPDump Filters==
Source: [[http://www.thegeekstuff.com/2010/08/tcpdump-command-examples/ thegeekstuff.com]]
* General TCPDump command:
tcpdump -s 0 -w packet_capture.cap
*Capture packets from a particular interface
tcpdump -i eth1
*Capture only N number of packets
tcpdump -c 200 -i eth0
*Display Captured Packets in ASCII
tcpdump -A -i eth0
*Display Captured Packets in HEX and ASCII
tcpdump -XX -i eth0
*Capture the packets and write into a file
tcpdump -w 08232010.pcap -i eth0
*Capture packets with IP address without DNS resolution
tcpdump -n -i eth0
*Capture packets with proper readable timestamp
tcpdump -n -tttt -i eth0
*Read packets only longer or smaller than N bytes
tcpdump -w capture.pcap greater 1024
tcpdump -w capture.pcap less 1024
*Receive only the packets of a specific protocol type
tcpdump -i eth0 arp
*Receive packets flows on a particular port
tcpdump -i eth0 port 22
*Capture packets for particular destination IP and Port
tcpdump -w xpackets.pcap -i eth0 dst 10.181.140.216 and port 22
*Capture TCP communication packets between two hosts
tcpdump udp and \(host and host \)
tcpdump -w comm.pcap -i eth0 udp and \(host 172.20.68.176 and host 172.24.173.9\)
*Filter Packets – Capture all the packets other than arp and rarp
tcpdump -i eth0 not arp and not rarp
“and”, “or” and “not” condition are used to filter the packets
<br />
<br />
=== Reading PCAPs ===
*Reading the packets from a saved file
tcpdump -tttt -r data.pcap
tcpdump -e -nn -vv -r traffic.dump
tcpdump -XX -r eth0_Merged.pcap
=== TCPDump Parameters ===
====Modifiers====
! or not
&& or and
|| or or
====Examples====
udp dst port not 53 UDP not bound for port 53
host 10.0.0.1 && host 10.0.0.2 Traffic between these hosts
tcp dst port 80 or 8080 Packets to either TCP port
====Protocols====
arp ether
icmp ip
ip6 ppp
rarp tcp
udp wlan
====TCP Flags====
tcp-urg tcp-rst
tcp-ack tcp-syn
tcp-psh tcp-fin
====Capture Filter Primitives====
[src|dst] host <host> Matches a host as the IP source, destination, or either
ether [src|dst] host <ehost> Matches a host as the Ethernet source, destination, or either
gateway host <host> Matches packets which used host as a gateway
[src|dst] net <network>/<len> Matches packets to or from an endpoint residing in network
[tcp|udp] [src|dst] port <port> Matches TCP or UDP packets sent to/from port
[tcp|udp] [src|dst] portrange <p1>-<p2> Matches TCP or UDP packets to/from a port in the given range
less <length> Matches packets less than or equal to length
greater <length> Matches packets greater than or equal to length
(ether|ip|ip6) proto <protocol> Matches an Ethernet, IPv4, or IPv6 protocol
(ether|ip) broadcast Matches Ethernet or IPv4 broadcasts
(ether|ip|ip6) multicast Matches Ethernet, IPv4, or IPv6 multicasts
type (mgt|ctl|data) [subtype <subtype>] Matches 802.11 frames based on type and optional subtype
vlan [<vlan>] Matches 802.1Q frames, optionally with a VLAN ID of vlan
mpls [<label>] Matches MPLS packets, optionally with a label of label
<expr> <relop> <expr> Matches packets by an arbitrary expression
====Command Line Options====
-A Print frame payload in ASCII
-c <count> Exit after capturing count packets
-D List available interfaces
-e Print link-level headers
-F <file> Use file as the filter expression
-G <n> Rotate the dump file every n seconds
-i <iface> Specifies the capture interface
-K Don't verify TCP checksums
-L List data link types for the interface
-n Don't convert addresses to names
-p Don't capture in promiscuous mode
-q Quick output
-r <file> Read packets from file
-s <len> Capture up to len bytes per packet
-S Print absolute TCP sequence numbers
-t Don't print timestamps
-v[v[v]] Print more verbose output
-w <file> Write captured packets to file
-x Print frame payload in hex
-X Print frame payload in hex and ASCII
-y <type> Specify the data link type
<br />
= Misc =
* In IE, disable HTTP1.1 in Advanced options to see the traffic being sent in HTTP1.0 version. Now you will be able to see traffic in Clear text in wireshark captures. HTTP1.1 uses gzip to compress html, so it is not read in clear text. You will find multiple connections for a single webpage.
* In Wireshark, anyting you see in square brackets - [bla bla] is the wireshar analysis of the information & is not the part of the packet captured.
<br />
<br />
|