Unix and Linux Stack Exchange
Unix and Linux Stack Exchange

Questions tagged [pcap]

The Packet Capture library provides a high level interface to packet capture systems.

The Packet Capture library provides a high level interface to packet capture systems. All packets on the network, even those destined for other hosts, are accessible through this mechanism. It also supports saving captured packets to a savefile, and reading packets from a savefile.

http://www.tcpdump.org/manpages/pcap.3pcap.html

35 questions
23
votes
2 answers

How to passively capture from Unix domain sockets (AF_UNIX socket monitoring)?

TCP/IP and UDP captures can be made using tcpdump/dumpcap and produces a pcap/pcapng file which can be fed to Wireshark for further analysis. Does a similar tool exist for named Unix domain sockets? (A general solution that works for abstract…
Lekensteyn
  • 20,173
  • 18
  • 71
  • 111
8
votes
1 answer

Find username and password in pcap file

I am completing an assignment where I am given a pcap file to extract data from. The question is, Find username and password in pcap file. This is what I have so far. $ tshark -r assign1.pcap -R 'smtp' -2 | awk '{if($9=="334") print $10}' | base64…
DisplayName9
  • 83
  • 1
  • 5
7
votes
1 answer

"tail -f" using "tcpdump -r"

To display content of pcap file , we use : tcpdump -r /Path/to/syscontection.pcap; However, this command line does not follow the pcap file on realtime , like tail -f which follows a plain text . Is there an option with tcpdump which acts like…
Abdennour TOUMI
  • 902
  • 3
  • 12
  • 24
4
votes
1 answer

Snort PCAP file analysing doesn't write to alert file

I'm using snort in my ubuntu 14.04 virtual machine. This is how I installed snort. sudo apt-get update sudo apt-get install snort I haven't change /etc/snort/snort.conf or rules file. They remain as the default and I did PCAP reading using…
A.M.N.Bandara
  • 141
  • 1
  • 3
2
votes
4 answers

Why is tcpdump output file empty?

On my Red Hat Enterprise Linux Server release 6.5 when saving a tcpdump capture to a file with the -w option, the resulting file is empty: [root@plop ~]# tcpdump -n -w tcpdump.cap listening on eth0, link-type EN10MB (Ethernet), capture size 65535…
sdabet
  • 961
  • 2
  • 8
  • 14
2
votes
0 answers

Replay pcap on local machine only

RHEL 6.5. I have a capture of UDP packets, generated this way: tcpdump -nnXs 0 -i eth1 udp port 26477 and dst 233.86.230.111 -w ITCH.pcap I've moved this file over to a dev VM, and want to replay it through my server for debugging. My server does…
John Dibling
  • 2,180
  • 7
  • 22
  • 33
2
votes
1 answer

dsniff is unable to read wireshark pcap file

To try DSNIFF with -p (getting passwords with pcap) option First i've captured packets of my Open access point with airodump-ng and saved them to a pcap file and dsniff worked easily with no error But now i am trying to capture with wireshark and…
WiFry
  • 21
  • 3
1
vote
0 answers

Issues with BPF filters and 6to4 traffic

I have a pcap file captured with tcpdump: tcpdump -w out.pcap -ni eno1 host 192.88.99.1 I can view the pcap: rful011@secmonprd13:~$ tcpdump -nr out.pcap -tttt | head reading from file andy.tcpd, link-type EN10MB (Ethernet) 2023-04-11 11:54:52.046310…
Russell Fulton
  • 221
  • 2
  • 6
1
vote
1 answer

Can `tcpdump ether host` filter with a mask to get, for example, hosts with a specific OUI?

I'm trying to filter traffic by src ether host to see all devices with a specific MAC prefix. If this were like IP, it might filter with src ether host aa:bb:cc:00:00:00/24 to see OUI's matching aa:bb:cc...but it doesn't like that. Is there a way…
KJ7LNW
  • 273
  • 1
  • 8
1
vote
1 answer

GeoIP not working when processing PCAP with tshark as su

I am working with lots of PCAP files and trying to convert them into .tsv files for tabular analysis. So I'm using tshark in a Ubuntu 22 VirtualBox machine to dissect each packet. I have a bash command that I use within a for loop to process each…
CopyOfA
  • 113
  • 4
1
vote
1 answer

How do I generate a Snort pcap file?

I am new to using snort and still learning in university. I am wondering after I find an intrusion how can I log it and save it as a pcap file? What would the syntax look like to do this? So I can analyze it further with Wireshark. I am doing what…
Albion69
  • 21
  • 3
1
vote
1 answer

How to send pcap file to ethernet

I have a pcap file and need to send it to specific interface. How can I do it?
PersianGulf
  • 10,728
  • 8
  • 51
  • 78
1
vote
1 answer

TShark pcap filter command possibly simplified?

Object: to find the IP addresses of HTTP servers in a pcap file with a specific header string. Can or should the -l option to flush be used? One way: the following was done but am wondering if it can be shortened. If this question is too broad,…
stonetwigger
  • 113
  • 4
1
vote
0 answers

Turning ethernet on/off

I am porting a DOS application to linux and don't know a hell of a lot about linux. The application is a machine controller which uses ethernet as a high-speed serial port. Networking has nothing to do with it, the computer and machine just…
mikesixes
  • 11
  • 2
1
vote
1 answer

How to extract domains related to "Client Hello" in a pcap file

I have a tcpdump (pcap) capture file and want to extract all domains. I do it with the following command: strings capture_file | grep -oiE '([a-zA-Z0-9][a-zA-Z0-9-]{1,61}\.){1,}(\.?[a-zA-Z]{2,}){1,}' | sort -u > out But I want to extract only those…
acgbox
  • 891
  • 4
  • 11
  • 32
1
2 3