Various Pcap files for studies are as follows:

PCAP files

Common packet captures files used across the site and for studies are below:

VPN Captures

Packet Type	Description	Page Link
ScreenOS Site to Site VPN	Main Mode VPN negotiations (FW1 is Responder; FW2 is Initiator)	VPN Lab, Debug
Dialup VPN	Aggressive mode Dailup VPN	VPN Lab, Debug
Aggressive Mode VPN
Dailup Xauth IP VPN	Aggressive mode Dailup VPN with XAuth IP Assignment	VPN Lab, Debug
Dailup Xauth IP VPN	Aggressive mode Dailup VPN with XAuth User login	VPN Lab, Debug
NAT Traversal	NAT Traversal on Cisco Routers	VPN Lab, Debug
Manual Key VPN	Manual Key or Static VPN captures	Manual Key VPN

FTP-TFTP

Packet Type	Description	Page Link
Active Mode FTP	FTP in Active Mode	Active FTP
Passive Mode FTP	FTP in Passive Mode	Passive FTP
TFTP RRQ	TFTP Read Request	TFTP
TFTP WRQ	TFTP Write Request	TFTP

Routing Protocols

Packet Type	Description	Page Link
BGP		BGP
eBGP		BGP
BGP Notification		BGP
BGP MD5		BGP
OSPF		OSPF
OSPF MD5		OSPF
OSPF LSAs		OSPF
OSPF over GRE Tunnel		OSPF
EIGRP Neighbors		EIGRP
EIGRP adjacency		EIGRP
EIGRP goodbye		EIGRP
EIGRPv2 adjacency		EIGRP
RIPv1
RIPv2

ARP

Packet Type	Description	Page Link
ARP		ARP
ARP Storm		ARP
Gratuitous ARP		ARP
Gratuitous ARP HSRP		ARP
RARP Request		ARP

DNS-DHCP

Packet Type	Description	Page Link
DNS Capture	Contains TXT, MX, LOC, PTR, A, AAAA, Any, NS, SRV queries	DNS
DHCP	All packets broadcast implementation	DHCP
DHCP 2	Unicast packets implementation	DHCP
DHCP Inter VLAN		DHCP
Dhcp-auth		DHCP

Misc Captures

Packet Type	Description	Page Link
TCP SACK	SACK(frame #31), Timestamp	TCP/IP
Smtp
Teardrop
Telnet
Port Scan
Traceroute		Traceroute
Path MTU	Fragmentation Needed message in packet #6	Path MTU Discovery
HTTP	Sack Used	HTTP
NAT	Ping Packet with & without NAT
IP Fragmentation
SNMP
SIP
GRE Encapsulated Ping
RADIUS
DTP
Slammer Worm
GLBP election
HDLC
HSRP
HSRP election
HSRP failover
Hsrp-and-ospf-in-LAN
RADIUS2
SSHv2
TACACS+
Bittorrent
IPv6
Vnc-sample
Blaster Worm
OS Fingerprinting
STP
MySQL

Filtering Packets

Information related to Packet filtering is as follows:

Filtering a Cap File

dumpcap -i eth0 -f "host 208.67.220.220 and udp port 53" -w /tmp/dns.cap -b duration:3600 -b files:25

Wireshark Common Filters

Sets a filter for any packet with 10.0.0.1, as either the source or dest

ip.addr == 10.0.0.1

Sets a conversation filter between the two defined IP addresses:

ip.addr==10.0.0.1 && ip.addr==10.0.0.2

Sets a filter to display all http and dns:

http or dns

Sets a filter for any TCP packet with 4000 as a source or dest port:

tcp.port==4000

Displays all TCP resets:

tcp.flags.reset==1

Displays all HTTP GET requests:

http.request

Displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID:

tcp contains traffic

Masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest:

!(arp or icmp or dns)

Sets a filter for the HEX values of 0x33 0x27 0x58 at any offset:

udp contains 33:27:58

Displays all retransmissions in the trace. Helps when tracking down slow application performance and packet loss:

tcp.analysis.retransmission

Fragmented Traffic:

 ip.flags.mf == 1 or ip.frag_offset > 0

ICMP Fragmentation needed packets:

icmp.type==3 and icmp.code==4

Combination of above two:

ip[0,9,20:2]==4501:0304||ip[6:2]&3fff

Starting and Ending sessions:

tcp.flags&7 or (tcp.seq==1 and tcp.ack==1 and !tcp.window_size_scalefactor==-1 and tcp.len==0)

Wireshark Column Filters

Value to display	Filter
TTL	ip.ttl
Flags	tcp.flags
SEQ	tcp.seq
ACK	tcp.ack
MSS	tcp.options.mss_val
In-Flight	tcp.analysis.bytes_in_flight
Payload	tcp.len
Window	tcp.window_size
Content-Length	http.content_length_header

TCPDump Filters

Source: [thegeekstuff.com]

Description	Command
General TCPDump command	tcpdump -s 0 -w packet_capture.cap
Capture packets from a particular interface	tcpdump -i eth1
Capture only N number of packets	tcpdump -c 200 -i eth0
Display Captured Packets in ASCII	tcpdump -A -i eth0
Display Captured Packets in HEX and ASCII	tcpdump -XX -i eth0
Capture the packets and write into a file	tcpdump -w 08232010.pcap -i eth0
Capture packets with IP address without DNS resolution	tcpdump -n -i eth0
Capture packets with proper readable timestamp	tcpdump -n -tttt -i eth0
Read packets only longer or smaller than N bytes	tcpdump -w capture.pcap greater 1024 tcpdump -w capture.pcap less 1024
Receive only the packets of a specific protocol type	tcpdump -i eth0 arp
Receive packets flows on a particular port	tcpdump -i eth0 port 22
Capture packets for particular destination IP and Port	tcpdump -w xpackets.pcap -i eth0 dst 10.181.140.216 and port 22
Capture TCP communication packets between two hosts	tcpdump -w comm.pcap -i eth0 udp and \(host 172.20.68.176 and host 172.24.173.9\)
Filter Packets – Capture all the packets other than arp and rarp	tcpdump -i eth0 not arp and not rarp 'and' 'or' and 'not' condition are used to filter the packets

Reading PCAPs

Header text	Header text
Reading pcap file	tcpdump -r data.pcap
Viewing all headers	tcpdump -e -nn -vv -r data.pcap
Viewing hexadecimal data	tcpdump -XX -r data.pcap

TCPDump Parameters

Modifiers

! or not
&& or and
|| or or

Examples

udp dst port not 53		UDP not bound for port 53
host 10.0.0.1 && host 10.0.0.2	Traffic between these hosts
tcp dst port 80 or 8080		Packets to either TCP port

Protocols

arp			ether
icmp			ip
ip6			ppp
rarp			tcp
udp			wlan

TCP Flags

tcp-urg			tcp-rst
tcp-ack			tcp-syn
tcp-psh			tcp-fin

Capture Filter Primitives

[src|dst] host <host> 				Matches a host as the IP source, destination, or either
ether [src|dst] host <ehost> 			Matches a host as the Ethernet source, destination, or either
gateway host <host> 				Matches packets which used host as a gateway
[src|dst] net <network>/<len> 			Matches packets to or from an endpoint residing in network
[tcp|udp] [src|dst] port <port> 		Matches TCP or UDP packets sent to/from port
[tcp|udp] [src|dst] portrange <p1>-<p2> 	Matches TCP or UDP packets to/from a port in the given range
less <length> 					Matches packets less than or equal to length
greater <length> 				Matches packets greater than or equal to length
(ether|ip|ip6) proto <protocol> 		Matches an Ethernet, IPv4, or IPv6 protocol
(ether|ip) broadcast 				Matches Ethernet or IPv4 broadcasts
(ether|ip|ip6) multicast 			Matches Ethernet, IPv4, or IPv6 multicasts
type (mgt|ctl|data) [subtype <subtype>] 	Matches 802.11 frames based on type and optional subtype
vlan [<vlan>] 					Matches 802.1Q frames, optionally with a VLAN ID of vlan
mpls [<label>] 					Matches MPLS packets, optionally with a label of label
<expr> <relop> <expr> 				Matches packets by an arbitrary expression

Command Line Options

-A 		Print frame payload in ASCII
-c <count> 	Exit after capturing count packets
-D 		List available interfaces
-e 		Print link-level headers
-F <file> 	Use file as the filter expression
-G <n> 	Rotate the dump file every n seconds
-i <iface> 	Specifies the capture interface
-K 		Don't verify TCP checksums
-L 		List data link types for the interface
-n 		Don't convert addresses to names
-p 		Don't capture in promiscuous mode
-q 		Quick output
-r <file> 	Read packets from file
-s <len> 	Capture up to len bytes per packet
-S 		Print absolute TCP sequence numbers
-t 		Don't print timestamps
-v[v[v]] 	Print more verbose output
-w <file> 	Write captured packets to file
-x 		Print frame payload in hex
-X 		Print frame payload in hex and ASCII
-y <type> 	Specify the data link type

Misc

In IE, disable HTTP1.1 in Advanced options to see the traffic being sent in HTTP1.0 version. Now you will be able to see traffic in Clear text in wireshark captures. HTTP1.1 uses gzip to compress html, so it is not read in clear text. You will find multiple connections for a single webpage.

In Wireshark, anyting you see in square brackets - [bla bla] is the wireshar analysis of the information & is not the part of the packet captured.

{{#widget:DISQUS |id=networkm |uniqid=Packet Captures |url=https://aman.awiki.org/wiki/Packet_Captures }}