# Wireshark or Tcpdump
## Wireshark
```bash
wireshark -i eth1
# Filter by ip
ip.add == 10.10.10.9
# Filter by dest ip
ip.dest == 10.10.10.15
# Filter by source ip
ip.src == 10.10.16.33
# Filter by tcp port
tcp.port == 25
# Filter by ip addr and port
ip.addr == 10.10.14.22 and tcp.port == 8080
# Filter SYN flag
tcp.flags.syn == 1 and tcp.flags.ack ==0
# Broadcast filter
eth.dst == ff:ff:ff:ff:ff:ff
```
### Filters CheatSheet
{% embed url="" %}
### TShark
```bash
tshark -D
tshark -i eth1
tshark -r .pcap
tshark -r .pcap | wc -l
# First 100 packets
tshark -r .pcap -c 100
# Protocl hierarchy statistics
tshark -r .pcap -z io,phs -q
# HTTP traffic
tshark -r .pcap -Y 'http' | more
tshark -r .pcap -Y "ip.src== && ip.dst=="
# Only GET requests
tshark -r .pcap -Y "http.request.method==GET"
# Packets with frame time, source IP and URL for all GET requests
tshark -r .pcap -Y "http.request.method==GET" -Tfields -e frame.time -e ip.src -e http.request.full_uri
# Packets with a string
tshark -r .pcap -Y "http contains password"
# Check destination IP
tshark -r .pcap -Y "http.request.method==GET && http.host==" -Tfields -e ip.dst
# Check session ID
tshark -r .pcap -Y "ip contains amazon.in && ip.src==" -Tfields -e ip.src -e http.cookie
# Check OS/User Agent type
tshark -r .pcap -Y "ip.src== && http" -Tfields -e http.user_agent
# WiFi traffic filter
tshark -r .pcap -Y "wlan"
# Only deauthentication packets
tshark -r .pcap -Y "wlan.fc.type_subtype==0x000c"
# and devices
tshark -r .pcap -Y "wlan.fc.type_subtype==0x000c" -Tfields -e wlan.ra
# Only WPA handshake packets
tshark -r .pcap -Y "eapol"
# Onyl SSID/BSSID
tshark -r .pcap -Y "wlan.fc.type_subtype==8" -Tfields -e wlan.ssid -e wlan.bssid
tshark -r .pcap -Y "wlan.ssid==" -Tfields -e wlan.bssid
# WiFi Channel
tshark -r .pcap -Y "wlan.ssid==" -Tfields -e wlan_radio.channel
# Vendor & model
tshark -r .pcap -Y "wlan.ta== && http" -Tfields -e http.user_agent
```
```bash
# ARP POISONING - arpspoof
## Forward IP packets
echo 1 > /proc/sys/net/ipv4/ip_forward
# arpspoof -i -t -r
arpspoof -i eth1 -t -r
```
#### Others Notes
```bash
#To find DOS (SYN and ACK)
tcp.flags.syn == 1 , tcp.flags.syn == 1 and tcp.flags.ack == 0
#To find passwords
http.request.method == POST
#More reference
https://www.comparitech.com/net-admin/wireshark-cheat-sheet/
#To find DOS: look for Red and Black packets with around 1-2 simple packets in between and then pick any packet and check the Source and Destination IP with port(As per question)
#To find DOS (SYN and ACK) : tcp.flags.syn == 1 , tcp.flags.syn == 1 and tcp.flags.ack == 0
#To find passwords : http.request.method == POST
```
{% embed url="" %}
## **Password sniffing using Wireshark**
**Attacker**
* Stop capture
* File-\>Save as
* Filter: http.request.method==POST
* RDP log in Target
* service
* start Remote Packet Capture Protocol v.0 (experimental)
* Log off Target
* Wireshark-\>Capture options-\>Manage Interface-\>Remote Interfaces
* Add a remote host and its interface
* Fill info
### Additional Resources
{% embed url="" %}
TCPDUMP Tutorial
{% endembed %}
{% embed url="" %}
Detecting DoS Attack traffic
{% endembed %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
[https://www.youtube.com/watch?v=4\_7A8Ikp5Cc]()
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/wireshark-or-tcpdump.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.