Professional Documents
Culture Documents
Capture Filter:
We can choose to capture packets and analyze them according to some predefined criteria:
- A specific host host ip or host url
- A specific source address src ip
- A specific destination address dst ip
- TCP/UDP port number port no.
Difference between promiscuous and monitor modes
- Monitor Mode
You’re just sniffing on packets that are in the air without being directly connected to a specific
access point. More over like walking in the street and overhearing conversations everywhere
around you without being part of that conversation.
- Promiscuous Mode
Listening to packets that go through a specific access point after being authenticated and
connected to that access point.
Display Filters
After you initiated your capture, you can start displaying the information you found based on
some criteria:
- IP
o IP address ip.addr ==/!=
o IP source address ip.src ==/!=
o IP destination address ip.dst ==/!=
- Display on different protocol:
o TCP
o HTTP
o UDP
o FTP
o SSH
o DNS
o ARP
TCPDUMP
TCPDUMP is a tool that is mostly used in the terminal with commands to capture traffic from all
the layers of the OSI model. It also provides you with many options you can do to the
information gathered.
Commands in tcpdump tool:
1- To capture packets normally without any filters we use tcpdump -i (the interface) -v
a. -i stands for the interface and you specify it directly afterwards
b. -v stands for verbose which means the data will be displayed for you in the
terminal.
2- To capture packets coming/going to a specific host we use tcpdump -i (interface) -v host
(specify the hostname or address)
3- To capture packets with a specific source/destination we use tcpdump -i (interface) -v
src/dst (specify the address)
4- To combine filters we use the following syntax: tcpdump -i (interface) -v first filter and
the other filter
5- To capture the entire network or a subnet from the network we use tcpdump -i (interface)
-v net (specify the network range using addresses for example 192.168.1.0/24)
6- To capture data related to a specific protocol we use tcpdump -i (interface) -v (protocol).
7- To capture data specified for a specific port we use tcpdump -i (interface) -v portno.
8- To capture data specified for a specific src/dst port tcpdump -i (interface) -v src/dst
portno.
9- To save the capture in a pcap file instead of printing it on the screen we use tcpdump -w
(destination of the file) -i (interface) -v (any filtration you want)