{"id":313,"date":"2019-08-20T10:06:18","date_gmt":"2019-08-20T08:06:18","guid":{"rendered":"https:\/\/privat.andreas-klingler.de\/itsec\/?p=313"},"modified":"2024-06-23T23:24:06","modified_gmt":"2024-06-23T21:24:06","slug":"tcpdump","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=313","title":{"rendered":"Sniffing network traffic (tcpdump)"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">tcpdump<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Get incom\u00ading <span class=\"caps\">ICMP<\/span> packets:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo tcpdump -i any icmp and src host $target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">N\u00fctzliche Parameter<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Domains nicht aufl\u00f6sen, IPs anzeigen<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">-n<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Dump der Dat\u00aden anzeigen<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">-X<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Paket in <span class=\"caps\">ASCII<\/span> anzeigen<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">-A<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Umgang mit Dateien<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Dump in Datei schreiben<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tcpdump -w file<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Dump aus Datei&nbsp;lesen<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tcpdump -r file<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Standard-Abfragen<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">tcpdump -n src|dst 10.10.10.10 and port 80 [-r file]\ntcpdump -i eth0 -w core-10-11-1-234.dump<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">netsh (Windows)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Cap\u00adture<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">netsh trace start capture=yes ... wait some time ... netsh trace stop<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Down\u00adload the the file.Upload it to a sys\u00adtem with <a href=\"https:\/\/github.com\/microsoft\/etl2pcapng\">etl2pcap<\/a> to con\u00advert it for Wire\u00adshark\u00adCon\u00advert&nbsp;it<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">etl2pcapng.exe NetTrace.etl NetTrace.pcap<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Analyse the pcap file.<a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=51\">Use PCredz or oth\u00ader sniff\u00ading tools to ana\u00adlyze the&nbsp;file.<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analyse captured packets<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Use the pcaphistogram.py script to analyse a cap\u00adtured pcap file for entropy.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>tcp\u00addump Get incom\u00ading <span class=\"caps\">ICMP<\/span> pack\u00adets: sudo tcp\u00addump \u2011i any icmp and src host $tar\u00adget N\u00fct\u00adzliche Para\u00adme\u00adter Domains nicht aufl\u00f6sen, IPs anzeigen \u2011n Dump der Dat\u00aden anzeigen \u2011X Paket in <span class=\"caps\">ASCII<\/span> anzeigen \u2011A Umgang mit Dateien Dump in Datei schreiben tcp\u00addump \u2011w file Dump aus Datei&nbsp;lesen tcp\u00addump \u2011r file Stan\u00addard-Abfra\u00adgen tcp\u00addump \u2011n src|dst 10.10.10.10 and&nbsp;port&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[469,472,474,475,476],"tags":[87],"class_list":["post-313","post","type-post","status-publish","format-standard","hentry","category-passive-enum","category-postexp","category-lateral-movement","category-attack-tool","category-defence-tool","tag-tcpdump"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/313","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=313"}],"version-history":[{"count":8,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/313\/revisions"}],"predecessor-version":[{"id":3950,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/313\/revisions\/3950"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=313"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=313"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}