# Wireshark Wireshark是一個免費開源的網路封包分析軟體。網路封包分析軟體的功能是截取網路封包,並盡可能顯示出最為詳細的網路封包資料。 在GNU通用公眾授權條款的保障範圍底下,使用者可以以免費的代價取得軟體與其程式碼,並擁有針對其原始碼修改及客製化的權利。 # 實用技巧 ##### 通用語法 條件語法: ``` == != > < >= <= in ``` 邏輯語法: ``` && # AND || # OR ! # NOT ``` 常用篩選: - type: host, port - dir: src, dst - proto: tcp, udp, ftp, http ##### SIP 相關 tcpdump ```shell timeout 6m tcpdump -i eth0 host -n -s 0 -vvvv -w carrier.pcap ``` Wireshark - 更多與 sip 有關的 filter 語法:[https://www.wireshark.org/docs/dfref/s/sip.html](https://www.wireshark.org/docs/dfref/s/sip.html) 只顯示 REGISTER 行,Filter: `sip.CSeq.method == REGISTER` ##### 其他 遠端監聽指令 ```bash ssh root@192.168.0.1 tcpdump -n -i any -w- 'not \( port 22 and host 192.168.0.1 \)' |etherape -r- ``` ##### Filter 速查表 [![wireshark_filter.jpeg](https://osslab.tw/uploads/images/gallery/2022-11/scaled-1680-/wireshark-filter.jpeg)](https://osslab.tw/uploads/images/gallery/2022-11/wireshark-filter.jpeg) [![Wireshark.png](https://osslab.tw/uploads/images/gallery/2023-09/scaled-1680-/wireshark.png)](https://osslab.tw/uploads/images/gallery/2023-09/wireshark.png) For Cybersecurity [![wireshark_filters_for_cybersecurity.jpg](https://osslab.tw/uploads/images/gallery/2024-09/scaled-1680-/wireshark-filters-for-cybersecurity.jpg)](https://osslab.tw/uploads/images/gallery/2024-09/wireshark-filters-for-cybersecurity.jpg) # Learning - [Network Forensics, Wireshark Basics, Part 1](https://www.hackers-arise.com/post/2018/09/24/Network-Forensics-Wireshark-Basics-Part-1) - [10 Tips On How to Use Wireshark to Analyze Network Packets (tecmint.com)](https://www.tecmint.com/wireshark-network-traffic-analyzer-for-linux/) # tcpdump ##### List the interfaces ```bash sudo tcpdump -D ``` ##### Capture All traffic ```bash tcpdump -i eth0 tcpdump -i wlan0 ``` ##### To a File ```bash tcpdump -i eth0 -w capture.pcap tcpdump -i any -w capture.pcap -nn 'ip and port 80' # Set Timeout timeout 6m tcpdump -i eth0 -w capture.pcap ``` ##### Read a file (.pcap) - `-nn`: Disable port and protocol name lookup. - `-r` : Read capture data from the named file. - `-v` : Display detailed packet data. - `-X` : Display the hexadecimal and ASCII output format packet data. Security analysts can analyze hexadecimal and ASCII output to detect patterns or anomalies during malware analysis or forensic analysis. ```bash tcpdump -r capture.pcap tcpdump -r capture.pcap -nn -v 'ip and (port 80 or port 443)' tcpdump -nn -r capture.pcap -X ``` ##### Filter ```bash # Filter by Source IP tcpdump src 192.168.0.1 # Filter by Destination IP tcpdump dst 192.168.0.1 # Filter by Port tcpdump port 80 # Filter by Protocol tcpdump icmp # Protocol and Port tcpdump tcp port 443 # Source and Destination tcpdump src 192.168.0.1 and dst 192.168.0.2 tcpdump -i any -w capture.pcap -n 'ip and port 80' ``` ##### Display in ASCII ```bash # Dispaly in ASCII tcpdump -A # Display in Hexadecimal tcpdump -X ``` ##### Specific Number of Packets ```bash tcpdump -c 100 ``` ##### Display ```bash # Capture and Display IPv6 Traffic tcpdump -6 # Capture and Display Traffic in Timestamp Format tcpdump -tttt ``` ##### SSH Connections ```bash # -l: real-time # -e: including ethernet headers tcpdump -i eth0 'tcp port 22' -l -e ``` ##### HTTP Request and Response ```bash tcpdump -i eth0 -s 0 -A -n 'tcp dst port 80' ``` ##### IP Range and Protocol ```bash tcpdump -i eth0 'net 192.168.0.0/24 and (tcp port 22 or icmp)' ``` ##### DNS Traffic ```bash tcpdump -i eth0 'udp port 53' -nnvvv ``` ##### FTP Traffic ```bash tcpdump -i eth0 -s 0 'tcp port 21' ``` ##### 遭受 DDos 攻擊時自動擷取封包 ```bash interface=ens1 dumpdir=/home/user/automatic-tcp-dump/ while /bin/true; do pkt_old=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'` sleep 1 pkt_new=`grep $interface: /proc/net/dev | cut -d : -f2 | awk '{ print $2 }'` pkt=$(( $pkt_new - $pkt_old )) echo -ne "\r$pkt packets/s\033[0K" if [ $pkt -gt 30000 ]; then echo -e "\n`date` Under Attack. Capturing Packets..." sudo tcpdump -n -i $interface -s0 -c 20000 -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.pcap echo "`date` Packets Captured." sleep 300 && pkill -HUP -f /usr/sbin/tcpdump else sleep 1 fi done ``` ##### Cheat Sheets [![tcpdump_commands.jpg](https://osslab.tw/uploads/images/gallery/2025-04/scaled-1680-/tcpdump-commands.jpg)](https://osslab.tw/uploads/images/gallery/2025-04/tcpdump-commands.jpg)