Useful Commands / tcpdump

# SSH x tcpdump x wireshark --- :pencil: : Ralph Wang :mailbox: : enhanceralph@gmail.com --- ```shell= ssh -i /path/to/privatekey rpi4 tcpdump -i eth0 -U -w - 'not port 22' | wireshark -k -i - ``` --- ## tcpdump 參數 --- - -i : interface - -U : write to buffer and if buffer is filled then print - -w : write to file; `-w -` means write to stdout (pipe out) - -s : snaplen (snapshot length) --- ## wireshark 參數 --- - -k : start immediately - -i : input interface; `-i -` means input is stdin (pipe in) --- # nc x tcpdump x wireshark --- ## Case 1: server to show wireshark --- ### Server side (Receiver & Wireshark show) ```bash= nc -l -p 12345 | wireshark -k -i - ``` --- ### Client side (Sender & tcpdump) ```bash= tcpdump -i eth0.1 -w - | nc 192.168.2.99 12345 ``` --- # Wireshark ## Filter WiFi Packet | **802.11 Frame Type** | **Description** | **Wireshark Filter** | | -------------------------- | ------------------------------------------------------------ | ------------------------------ | | **Management Frames** | All 802.11 management frames | `wlan.fc.type == 0` | | **Probe Request** | Sent by clients to discover available networks | `wlan.fc.type_subtype == 0x04` | | **Probe Response** | Sent by APs in response to probe requests | `wlan.fc.type_subtype == 0x05` | | **Beacon** | Periodic announcement from AP to advertise network presence | `wlan.fc.type_subtype == 0x08` | | **Authentication** | Frame used to initiate authentication with an AP | `wlan.fc.type_subtype == 0x0b` | | **Association Request** | Request sent by a client to join a network | `wlan.fc.type_subtype == 0x00` | | **Association Response** | Response from the AP to a client's association request | `wlan.fc.type_subtype == 0x01` | | **Reassociation Request** | Sent by a client to reconnect to an AP it was previously connected to | `wlan.fc.type_subtype == 0x02` | | **Reassociation Response** | Response from the AP to a reassociation request | `wlan.fc.type_subtype == 0x03` | | **Disassociation** | Frame sent to terminate an association | `wlan.fc.type_subtype == 0x0a` | | **Deauthentication** | Frame sent to deauthenticate a client | `wlan.fc.type_subtype == 0x0c` | | **Action** | Frame used for specific actions (e.g., spectrum management) | `wlan.fc.type_subtype == 0x0d` | | **All Control Frames** | Filters all 802.11 control frames | `wlan.fc.type == 1` | | **All Data Frames** | Filters all 802.11 data frames | `wlan.fc.type == 2` | ## WPA2 Decode Wireshark -> EDIT -> Preferences... -> Protocols -> IEEE 802.11 -> Decryption Keys -> EDIT