cheat/cheat/cheatsheets/tcpdump
Chris Lane f46698b656 Performed a large refactoring
Performed an extensive refactoring on the entire application for the
sake of code-cleanliness.

- Refactored out of an ad-hoc Imperative paradigm into more of a
  functional/declarative paradigm. IMO, this makes the application
  signifcantly easier to understand.

- Moved away from `argparse` and into `docopt` for argument parsing

- Version bump to 2.0.0

- Performed extensive refactoring on the setup.py script. Script should
  install to the system more cleanly now.

- Made minor formatting changes to the --list flag output

- Updated the README

Squashed commit of the following:

commit e5681bd536aa0220cdeb7884cc248db55be408c9
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Apr 26 23:30:21 2014 -0400

    Fixed many bugs

    Everything seems to work now, I think.

commit 764ec5950cee958eb1b8333ddfcb6bcd45c28429
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Apr 26 21:51:31 2014 -0400

    Restructuring for the sake of setup.py

    Seem to finally have a working install script

commit 5a866c23857b77ec65070dd8023cd734f2b7c242
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Apr 26 18:01:11 2014 -0400

    Nits

commit a79954ba5b33d992fa6a32abffb33b161d624e3d
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Apr 26 17:53:03 2014 -0400

    Implemented search

commit b570a897e9a12c15affe1a72628deae31836dee2
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Apr 26 17:11:27 2014 -0400

    Nits

commit 1a8d85b44457f1b2131b3e8475c5270b5d0899e3
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Apr 26 17:02:22 2014 -0400

    Still refactoring across files

    Trying to make the program structure clearer

commit 34dffd6462e492e81ea558e2009a71051b7663c9
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Apr 26 16:40:37 2014 -0400

    Breaking app into several files

    This is for the sake of code-cleanliness

commit 4825d678ff5f9817ccbf727ef71e5dea15ff2586
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Apr 26 15:55:19 2014 -0400

    Got syntax highlighting working

commit c37d7a626d451bfca3d4a072eb9fed604085170f
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Apr 26 15:29:22 2014 -0400

    Reduced verbosity of function names

commit 8e626045186b37dce2480f5af1994ddfa8db79b5
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Apr 26 15:24:41 2014 -0400

    Refactored argument passing

    Fewer arguments now need to be passed throughout the app.

commit 807ba814650010b3dd1b59d27400b3fb4fcfede7
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Apr 26 11:40:05 2014 -0400

    Working through the refactor

commit e34e6540d4f8cd727e98aac68289d515a02d5fe6
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Thu Apr 24 20:00:10 2014 -0400

    Got a basic end-to-end refactor working

    Have re-implemented just the most basic functionality in the "cheat2"
    file.
2014-04-26 23:39:19 -04:00

64 lines
2.1 KiB
Plaintext

# TCPDump is a packet analyzer. It allows the user to intercept and display TCP/IP
# and other packets being transmitted or received over a network. (cf Wikipedia).
# Note: 173.194.40.120 => google.com
# Intercepts all packets on eth0
tcpdump -i eth0
# Intercepts all packets from/to 173.194.40.120
tcpdump host 173.194.40.120
# Intercepts all packets on all interfaces from / to 173.194.40.120 port 80
# -nn => Disables name resolution for IP addresses and port numbers.
tcpdump -nn -i any host 173.194.40.120 and port 80
# Make a grep on tcpdump (ASCII)
# -A => Show only ASCII in packets.
# -s0 => By default, tcpdump only captures 68 bytes.
tcpdump -i -A any host 173.194.40.120 and port 80 | grep 'User-Agent'
# With ngrep
# -d eth0 => To force eth0 (else ngrep work on all interfaces)
# -s0 => force ngrep to look at the entire packet. (Default snaplen: 65536 bytes)
ngrep 'User-Agent' host 173.194.40.120 and port 80
# Intercepts all packets on all interfaces from / to 8.8.8.8 or 173.194.40.127 on port 80
tcpdump 'host ( 8.8.8.8 or 173.194.40.127 ) and port 80' -i any
# Intercepts all packets SYN and FIN of each TCP session.
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'
# To display SYN and FIN packets of each TCP session to a host that is not on our network
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net local_addr'
# To display all IPv4 HTTP packets that come or arrive on port 80 and that contain only data (no SYN, FIN no, no packet containing an ACK)
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
# Saving captured data
tcpdump -w file.cap
# Reading from capture file
tcpdump -r file.cap
# Show content in hexa
# Change -x to -xx => show extra header (ethernet).
tcpdump -x
# Show content in hexa and ASCII
# Change -X to -XX => show extra header (ethernet).
tcpdump -X
# Note on packet maching:
# Port matching:
# - portrange 22-23
# - not port 22
# - port ssh
# - dst port 22
# - src port 22
#
# Host matching:
# - dst host 8.8.8.8
# - not dst host 8.8.8.8
# - src net 67.207.148.0 mask 255.255.255.0
# - src net 67.207.148.0/24