Wireshark & tcpdump Cheatsheet — lbyte.id

Network traffic analysis is essential for understanding protocols, capturing credentials in transit, and diagnosing network segmentation. Wireshark gives you a GUI; tcpdump gives you CLI speed and scripting.

tcpdump — Quick Reference

Basic Capture

# List interfaces
tcpdump -D

# Capture on interface
tcpdump -i eth0

# Capture to file
tcpdump -i eth0 -w capture.pcap

# Read pcap file
tcpdump -r capture.pcap

# Verbose output
tcpdump -i eth0 -v   # verbose
tcpdump -i eth0 -vv  # more verbose
tcpdump -i eth0 -vvv # most verbose

# Show packet data in hex + ASCII
tcpdump -i eth0 -X

# Show absolute sequence numbers
tcpdump -i eth0 -S

# Don't resolve hostnames/ports (faster)
tcpdump -i eth0 -n     # no DNS
tcpdump -i eth0 -nn    # no DNS, no port names

# Limit capture count
tcpdump -i eth0 -c 1000

# Capture all interfaces
tcpdump -i any

Capture Filters (BPF syntax)

# By host
tcpdump -i eth0 host 192.168.1.100
tcpdump -i eth0 src host 192.168.1.100
tcpdump -i eth0 dst host 192.168.1.100

# By network
tcpdump -i eth0 net 192.168.1.0/24
tcpdump -i eth0 src net 10.0.0.0/8

# By port
tcpdump -i eth0 port 80
tcpdump -i eth0 port 80 or port 443
tcpdump -i eth0 portrange 8080-8090

# By protocol
tcpdump -i eth0 tcp
tcpdump -i eth0 udp
tcpdump -i eth0 icmp
tcpdump -i eth0 arp

# Combinations
tcpdump -i eth0 host 192.168.1.100 and port 443
tcpdump -i eth0 src 192.168.1.5 and dst port 80
tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'  # SYN+FIN packets

# Capture DNS
tcpdump -i eth0 port 53 -vvv

# HTTP traffic
tcpdump -i eth0 port 80 -A        # print ASCII

# Exclude traffic
tcpdump -i eth0 not port 22
tcpdump -i eth0 not host 8.8.8.8

# Capture specific TCP flags
tcpdump -i eth0 'tcp[13] = 0x02'   # SYN packets only
tcpdump -i eth0 'tcp[13] & 4 != 0' # RST packets
tcpdump -i eth0 'tcp[13] & 8 != 0' # PSH packets

Useful Capture Combinations

# Capture credentials from HTTP
tcpdump -i eth0 port 80 -A | grep -i "authorization\|password\|pass\|user\|login"

# Capture SMTP traffic
tcpdump -i eth0 port 25 or port 587 or port 465 -A

# Monitor for new connections to a host
tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0 and dst host TARGET_IP'

# Capture NTLMv2 hashes (SMB)
tcpdump -i eth0 port 445 -w smb.pcap

# Capture FTP credentials
tcpdump -i eth0 port 21 -A

# Rotating capture files
tcpdump -i eth0 -w capture_%Y%m%d_%H%M%S.pcap -G 3600 -C 100
# -G 3600 = rotate every hour
# -C 100 = max 100MB per file

---

Wireshark Display Filters

Protocol Filters

# Basic protocols
http
https (use ssl or tls)
dns
tcp
udp
icmp
arp
smb
smb2
ftp
smtp
pop
imap
ssh
rdp
kerberos
ldap

IP / Network Filters

# Source/destination IP
ip.src == 192.168.1.100
ip.dst == 192.168.1.100
ip.addr == 192.168.1.100        # src OR dst

# Subnet
ip.src == 192.168.1.0/24
ip.addr == 10.0.0.0/8

# IPv6
ipv6.src == ::1
ipv6.addr == fe80::/10

TCP / UDP Filters

# Port
tcp.port == 80
tcp.dstport == 443
tcp.srcport == 1234
udp.port == 53

# TCP flags
tcp.flags.syn == 1                    # SYN packets
tcp.flags.reset == 1                  # RST packets
tcp.flags.syn == 1 and tcp.flags.ack == 0  # SYN only (new connections)

# TCP stream
tcp.stream eq 5                       # follow specific stream

# Retransmissions / anomalies
tcp.analysis.retransmission
tcp.analysis.duplicate_ack
tcp.analysis.zero_window

HTTP Filters

# HTTP methods
http.request.method == "POST"
http.request.method == "GET"
http.request.method == "PUT"

# URI / paths
http.request.uri contains "/admin"
http.request.uri matches ".*\\.php"

# Response codes
http.response.code == 200
http.response.code == 302
http.response.code >= 400

# Headers
http.host contains "target.com"
http.cookie contains "session"
http.authorization                    # show auth headers
http.request.full_uri                 # show full URL

# Body content
http contains "password"
http.request.line contains "login"

Credential Extraction

# HTTP Basic Auth
http.authorization
# Then decode: base64 decode the "Basic XXXX" part

# FTP
ftp.request.command == "PASS"
ftp.request.command == "USER"

# SMTP auth
smtp.req.parameter contains "AUTH"

# Telnet (cleartext)
telnet

# HTTP forms (POST data)
urlencoded-form
http.request.method == "POST" and urlencoded-form

# Follow stream: right-click packet → Follow → TCP Stream

DNS Filters

dns.qry.name contains "target.com"
dns.resp.name contains "target.com"
dns.flags.rcode != 0                  # DNS errors
dns.qry.type == 1                     # A records
dns.qry.type == 28                    # AAAA records
dns.qry.type == 16                    # TXT records (DNS exfil)

TLS / SSL Filters

tls.handshake.type == 1               # Client Hello
tls.handshake.type == 2               # Server Hello
tls.handshake.extensions_server_name  # SNI (hostname in handshake)
tls.record.content_type == 21         # Alert

# Find handshakes (to see target domains even in encrypted traffic)
tls.handshake.extensions.server_name contains "target.com"

---

Wireshark — Useful Features

Statistics & Analysis

Statistics → Protocol Hierarchy       # see all protocols in capture
Statistics → Conversations            # list all TCP/UDP conversations  
Statistics → Endpoints                # all IPs in capture
Statistics → HTTP → Requests          # all HTTP requests
Statistics → DNS                      # DNS query analysis
Analyze → Expert Information          # errors, retransmissions, anomalies

Extracting Files

File → Export Objects → HTTP          # extract files transferred over HTTP
File → Export Objects → SMB           # extract files from SMB transfer
File → Export Objects → DICOM
File → Export Objects → IMF           # email attachments

# Command line with tshark
tshark -r capture.pcap --export-objects http,/tmp/extracted_http/

Decrypt TLS with Session Keys

# Browser: export SSLKEYLOGFILE=/tmp/ssl.log
# Then set in Wireshark:
# Edit → Preferences → Protocols → TLS → (Pre)-Master-Secret log file
# Point to ssl.log

# Or if you have the server private key:
# Edit → Preferences → Protocols → TLS → RSA Keys List → Add
# (only works for non-PFS cipher suites)

---

tshark — Command Line Wireshark

# List interfaces
tshark -D

# Capture with filter
tshark -i eth0 -f "port 80" -w output.pcap

# Read and filter
tshark -r capture.pcap -Y "http.request.method == POST"

# Extract fields
tshark -r capture.pcap -Y http.request -T fields -e http.host -e http.request.uri
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | sort -u

# Extract credentials
tshark -r capture.pcap -Y "http.authorization" -T fields -e http.authorization

# HTTP requests summary
tshark -r capture.pcap -Y "http.request" -T fields \
  -e frame.time -e ip.src -e ip.dst -e http.request.method -e http.request.full_uri

# Follow TCP stream (stream 0)
tshark -r capture.pcap -q -z follow,tcp,ascii,0

# Protocol statistics
tshark -r capture.pcap -q -z io,phs

# Export HTTP objects
tshark -r capture.pcap --export-objects http,/tmp/http_objects/

# Live capture + filter + display
tshark -i eth0 -Y "http.request.method == POST" -T fields \
  -e ip.src -e http.host -e http.request.uri -e urlencoded-form.value

---

Common Analysis Scenarios

# Find all hosts on network (from arp/icmp)
tshark -r capture.pcap -Y arp -T fields -e arp.src.proto_ipv4 | sort -u

# Identify scanning activity (many SYN packets from one source)
tshark -r capture.pcap -Y "tcp.flags.syn==1 and tcp.flags.ack==0" \
  -T fields -e ip.src -e ip.dst -e tcp.dstport | sort | uniq -c | sort -rn

# DNS exfiltration detection (long subdomain labels)
tshark -r capture.pcap -Y dns -T fields -e dns.qry.name | \
  awk 'length($0) > 50' | sort -u

# Extract all URLs
tshark -r capture.pcap -Y http.request -T fields -e http.request.full_uri 2>/dev/null

# Find large file transfers
tshark -r capture.pcap -Y "tcp.len > 10000" \
  -T fields -e ip.src -e ip.dst -e tcp.len

# SMB file access
tshark -r capture.pcap -Y "smb2.filename" -T fields -e smb2.filename | sort -u