← All Cheatsheets

network-pentest

Wireshark & TCPDump — Packet Analysis

Capture and analyze network traffic with Wireshark and TCPDump for credential interception and protocol analysis.

10 views Apr 2026 lazyhackers

TCPDump — Capture (12)

tcpdump -i eth0

Capture all traffic on eth0

capture basic

tcpdump -i any

Capture on all interfaces

capture

tcpdump -i eth0 -w capture.pcap

Save capture to PCAP file

capture save

tcpdump -i eth0 -w capture.pcap -s 0

Full packet capture (no truncation)

capture full

tcpdump -i eth0 host 10.10.10.1

Capture traffic to/from specific host

filter host

tcpdump -i eth0 port 80

Capture HTTP traffic only

filter http

tcpdump -i eth0 port 443

Capture HTTPS/TLS traffic

filter https tls

tcpdump -i eth0 "port 21 or port 23 or port 110"

Capture FTP/Telnet/POP3 (cleartext creds)

filter credentials

tcpdump -i eth0 -nn src net 192.168.1.0/24

Capture from subnet, no DNS resolve

filter subnet

tcpdump -i eth0 -A port 80

Print HTTP payload as ASCII

http payload ascii

tcpdump -i eth0 -X port 80 | head -100

Print hex+ASCII payload for HTTP

http hex

tcpdump -r capture.pcap

Read and analyze saved PCAP file

read pcap

Wireshark Display Filters (12)

http

Show only HTTP traffic

wireshark http

http.request.method == "POST"

Show only HTTP POST requests

wireshark http post

ip.addr == 10.10.10.1

Show traffic to/from IP

wireshark filter ip

tcp.port == 4444

Show traffic on specific port

wireshark filter port

tcp.flags.syn == 1 && tcp.flags.ack == 0

Show only SYN packets (new connections)

wireshark tcp syn

http contains "password"

Find HTTP packets containing "password"

wireshark http credentials

ftp || telnet || pop || imap

Show cleartext credential protocols

wireshark credentials

dns

Show only DNS traffic

wireshark dns

smb || smb2

Show SMB traffic (NTLMv2 hashes)

wireshark smb ntlm

frame contains "NTLMSSP"

Find NTLM authentication frames

wireshark ntlm auth

!(arp or icmp or dns)

Exclude noise (ARP, ICMP, DNS)

wireshark filter noise

tcp.analysis.flags && !tcp.analysis.window_update

Show TCP issues (retransmissions, resets)

wireshark tcp issues

Wireshark CLI (tshark) (5)

tshark -i eth0 -w capture.pcap

Capture to PCAP via CLI

tshark capture

tshark -r capture.pcap -Y "http.request" -T fields -e ip.dst -e http.request.uri

Extract HTTP request URIs from PCAP

tshark http extract

tshark -r capture.pcap -Y "http.request.method==POST" -T fields -e tcp.payload

Extract POST data payloads

tshark http post

tshark -r capture.pcap -Y "ftp" -T fields -e ftp.request.command -e ftp.request.arg

Extract FTP credentials from capture

tshark ftp credentials

tshark -r capture.pcap --export-objects http,./exported/

Export all HTTP objects (files) from PCAP

tshark export files