Read a pcap
-r read a file
1
sudo tcpdump -r password_cracking_filtered.pcap
Capture traffic
-i choose interface
1
sudo tcpdump -i tun0 icmp
Filter by src/dst host
1
tcpdump -n <src/dst> host 172.16.161.129 -r password_cracking.pcap
Filter by Port
1
tcpdump -n port 8080 -r password_cracking.pcap
HEX output
1
sudo tcpdump -nX -r password_cracking_filtered.pcap
Filter by Data Packets
Excluding every SYN and ACK packet which corresponds to the three-handshake leaves us with only PUSH and ACK flags which contains data:
1
sudo tcpdump -A -n 'tcp[13] = 24' -r password_cracking_filtered.pcap