# tcpdump

> - Most widely used capture tool

> - open source, cross-platform
> - command-line based
> - based on libpcap
> - uses Berkley Packet Filter (BPF) syntax
> - displays details in terminal or save to pcap file on disk
> - read from network or existing pcap file
> - proprietary tools often read from/export to pcap files

tcpdump is primarily used to capture packets from the network medium, after which
it will either display a definable amount of information about each packet or write
the entire packet to disk.

The core features tcpdump provides are thanks to its use of the libpcap library.
Some of the more important capabilities of the library include:

- The Berkley Packet Filter (BPF) language, a basic filtering language that is used
to limit the data captured from the network
- Display packet details on screen or save packets to a pcap file. The **pcap**
format is a standardized format to store network packet data on disk.
- Read network data from a live network or a pcap file.
- Runtime specification of how much data to capture.

# Wireshark

> - GUI that decodes protocols

> - Powerful parsing for hundreds of protocols
> - Can add new protocols as required
> - Open source, cross-platform
> - Comes with tshark, a console-mode equivalent

# PCAP File Format

> Magic: 0xa1b2c3d4 or 0xd4c3b2a1

> Version: 2.4
> For libpcap >= 1.1.1
> TZ always UTC = 0
> Accuracy always = 0
> Snapshot length (max packet size)
> Many link types

> ![[Pasted image 20230226103534.png]]

The **link type** is a field that indicates the type of media from which the
packets were acquired. There are many values.

> ![[Pasted image 20230226103721.png]]

After the file header are zero or more packets. The pcap format prepends a set of
metadata to each stored packet. These four four-byte fields contain useful data:

- The time each packet was captured is written to the pcap file in two segments:
- the number of seconds since the UNIX epoch (Jan 1, 1970, 00:00:00 UTC)
- the number of microseconds after that second resolution timestamp
- The number of bytes captured from the network
- The number of bytes that were present on the network before any snaplen-based
truncation
# Fundamental tcpdump Usage

> ![[Pasted image 20230226104254.png]]

# BPF Primitives

Several primitives and logical combination:

- Common: ip, tcp, udp, icmp, host, ether, net, port

- Qualifiers: src, dst
- Logic: and, or, not, ()
- less common:
- vlan, portrange, gateway, byte offsets: ip\[9:1] == 0x06

BPF syntax provides a way to designate which traffic is or is not "interesting" and
therefore worthy of the CPU cycles.

Perhaps the easiest to understand are the primitives that match against a given
protocol. Simply these are "ip", "tcp", "udp", "icmp", or a handful of others. If
the protocol matches it is considered interesting and processing continues. If it
does not, the packet still goes on its way, but the libpcap process stops
processing the packet.

The "host" primitive limits on the layer 3 IP address. By specifying "host

192.168.75.104", only packets to or from the specified will be matched to be passed
along.

> ![[Pasted image 20230226142238.png]]

## Useful tcpdump options

![[Pasted image 20230226142335.png]]

![[Pasted image 20230226142352.png]]

# Wireshark Interface

> ![[Pasted image 20230226142500.png]]

The **Packet Listing** shows one row per packet. The user can configure which
columns are displayed, as well as a number of display parameters. The default
"time" value is the number of seconds and microseconds since the capture started

The **Packet Details** pane is where we can see the real power of the protocol
decoders at work. This pane contains a hierarchical list of every field within the
packet - from the IP and TCP or UDP headers, all the way to the layer 7 application
data. By simply clicking though each field and value, we can inspect even binary
protocols without getting elbow deep into the RFCs or reverse engineering the
protocol. Often this is the best place to start exploring an unfamiliar protocol
because Wireshark generally includes human-readable field names and values.

The **Packet Bytes** pane contains a hex-dump-style listing of all bytes contained
for that packet stored in the pcap file or as the transited the network. Having the
raw data often helps an analyst find interesting segments of the packet. Wireshark
lets the user click a byte in the raw hex or ASCII portions of the Packets Bytes
pane, which triggers it to jump to and highlight the corresponding decoded elements
in the Packet Details Pane, the opposite also works.
## Wireshark Interface Layout and Name Resolution

> ![[Pasted image 20230226143903.png]]

By default Wireshark will not perform DNS lookups for each IP address it sees.
Adversaries can run their own DNS servers and monitor the quires made against it
and find out where you are.

Although the default columns that Wireshark includes in the packet listing pane are
often sufficient you can add, remove and reorder them.

## Wireshark Display filtering

- Display filters
- Robust, protocol-aware filtering
- Any Wireshark field name can be used
- Equality: ==
- Logic: and, or, not, ()
- Partial text matches: contains
- Case-sensitive unless field wrapped in lower()
- RegEx matching: matches

`tcp.port == 80`
`ip.src == 204.51.94.202`

Looking for DNS replies containing more than five responses for a query against a
known hostile domain:
`dns.flags.response == 1 and dns.count.answers > 5 and dns.qry.name contains
"cz.cc"`

`http and lower(http.cookie) contains "username"`

> ![[Pasted image 20230226144652.png]]

In the above example: The Packet Details pane shows a basic DNS query for the A
record associated with the hostname "www.phdcomic.com". By loking at the left side
of the status bar, we can see that the DNS decoder uses the name "dns.qry.name" to
denote this field and in this case the field is 19 bytes long (17 bytes of text in
three labels plus two bytes for the interstitial dot characters). We can then use
this field to craft a display filter that will quickly and nondestructively narrow
down the packet listing to just those we are interested in.

> ![[Pasted image 20230226145130.png]]

Because the display filters can get pretty complex, Wireshark employs a stoplight
visual aid. Green background is valid, red is not.

> ![[Pasted image 20230226145327.png]]

## Wireshark Follow TCP Stream

- View ASCII/hex content of a connection

- Right-click TCP packet, select "Follow | TCP Stream"
- Choose client-to-server, server-to-client, or both
- Save selected side(s) of stream to file

Wireshark will pop up a window that displays one or both sides of the TCP
conversations in ASCII or hex-dump-style. The client requests to the server are in
red and the resulting responses are in blue.
## Wireshark Additional Features

- **Decode as alternate protocol**:

- Force protocol decoder for a connection
- Right-click "Decode As", choose protocol
- This is handy when a sneaky user is trying to push one protocol over an
alternate port in an attempt to evade detection. Instead of relying on Wireshark's
own protocol detection routines, you can force a connection to be parsed with a
decoder of you choosing.
- **Traffic capture: Select interface, start capture**:
- Good for lab or limited use, but not for production
- Uses dumpcap process under the hood - usable as standalone capture process as
well

# tshark

- Provides almost all of Wireshark's functionality in a shell-based utility

- Explore data and develop analytic processes in GUI, shift to console to scale
and script
- Great scalability and automation via shell scripts
- loop over hundreds of input files
- create repeatable processes
- Perform data reduction using robust display filters

> ![[Pasted image 20230226150625.png]]

> ![[Pasted image 20230226150654.png]]