# tcpdump This is a CLI packet capture and inspection utility. TCP dump can be used to look at headers first then used to inspect full packets using another command. Look at raw file #tcpdump -r password\_cracking\_filtered.pcap Looking at IPs and ports #tcpdump -n -r password\_cracking\_filtered.pcap | awk -F" " '{print $3}' | sort | uniq -c | head //-n skip dns lookups //-r read //awk read the 3rd field //sort, uniq: remove repeat and add count //use head to display first 10 lines of output What we saw was a single host making many request(multi ephemerals) to a single server over port 81. ![](/files/2kKtOr93cSne2ZgOQdTD) We then want to dill down to see what we can see. filter syntax: //filters to look at traffic #tcpdump -n src host 172.16.40.10 -r password\_cracking\_filtered.pcap #tcpdump -n dst host 172.16.40.10 -r password\_cracking\_filtered.pcap #tcpdump -n port 81 -r password\_cracking\_filtered.pcap Hex dump: #tcpdump -nX -r password\_cracking\_filtered.pcap | less ![](/files/Nucg2OKi97tzSKZCZKCG) Next we set up a filter that displays packets that have both the ACK and PSH flags set. The PSH-push flag is used to force send packets that do not have full buffers. It is used for the first and last packets in an http request. ![](/files/nR4qn2bEzwuAhgZGVET7) CEUAPRSF // ack and push #echo “$((2=00011000))” STDOUT//24 00011000= 24 in decimal \#tcpdump -A -n 'tcp\[13] = 24' -r password\_cracking\_filtered.pcap //-A: print packets in ascii //'tcp\[13] = 24' we want the 14th byte to be equal to 24 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.hackbook.io/network-discovery/network-traffic/tcpdump.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.