# Packet Scanning

## tcpdump

```bash
# Basic capture
tcpdump -i eth0
tcpdump -c 100 -i eth0                    # Capture 100 packets
tcpdump -A -i eth0                         # Print packets in ASCII
tcpdump -XX -i eth0                        # Print packets in HEX and ASCII
tcpdump -w capture.pcap -i eth0            # Write to file
tcpdump -r capture.pcap                    # Read from file
tcpdump -n -i eth0                         # Don't resolve hostnames
tcpdump -nn -i eth0                        # Don't resolve hostnames or ports

# Filter by port/host
tcpdump -i eth0 port 22
tcpdump -i eth0 port 80 or port 443
tcpdump -i eth0 src 172.21.10.X
tcpdump -i eth0 dst 172.21.10.X
tcpdump -i eth0 host 10.10.10.10
tcpdump -i eth0 net 192.168.1.0/24

# Filter by protocol
tcpdump -i eth0 icmp
tcpdump -i eth0 tcp
tcpdump -i eth0 udp

# Complex filters
tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0'     # SYN packets
tcpdump -i eth0 'tcp[tcpflags] & (tcp-rst) != 0'     # RST packets
tcpdump -i eth0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'  # HTTP with data

# Capture credentials (unencrypted)
tcpdump -i eth0 -A port 21 or port 23 or port 110 or port 143

# Online service
https://packettotal.com/
```

## Wireshark / tshark

```bash
# CLI capture with tshark
tshark -i eth0                             # Basic capture
tshark -i eth0 -w capture.pcap             # Write to file
tshark -r capture.pcap                     # Read from file
tshark -i eth0 -f "port 80"                # Capture filter
tshark -r capture.pcap -Y "http"           # Display filter

# Extract specific fields
tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.port
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri

# Follow TCP streams
tshark -r capture.pcap -z follow,tcp,ascii,0

# Protocol statistics
tshark -r capture.pcap -z io,phs           # Protocol hierarchy
tshark -r capture.pcap -z conv,tcp         # TCP conversations
tshark -r capture.pcap -z endpoints,ip     # IP endpoints

# Extract HTTP objects
tshark -r capture.pcap --export-objects "http,./extracted_files"

# Common display filters for Wireshark
# http.request.method == "POST"
# tcp.flags.syn == 1
# dns.qry.name contains "domain"
# ftp.request.command == "PASS"
# smb2.filename
# kerberos.CNameString
```

## Protocol-specific analysis

```bash
# HTTP traffic analysis
tshark -r capture.pcap -Y "http" -T fields -e http.host -e http.request.uri -e http.request.method
tshark -r capture.pcap -Y "http.request.method==POST" -T fields -e http.file_data

# DNS queries
tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name

# SMB file operations
tshark -r capture.pcap -Y "smb2.filename" -T fields -e smb2.filename

# FTP credentials
tshark -r capture.pcap -Y "ftp.request.command == USER || ftp.request.command == PASS" -T fields -e ftp.request.arg

# NTLM hashes (for cracking)
tshark -r capture.pcap -Y "ntlmssp.messagetype == 3" -T fields -e ntlmssp.auth.username -e ntlmssp.auth.domain
```

## Credential extraction

```bash
# https://github.com/lgandx/PCredz
./Pcredz -f file-to-parse.pcap
./Pcredz -d /tmp/pcap-directory-to-parse/
./Pcredz -i eth0 -v

# https://github.com/DanMcInerney/net-creds
python2 net-creds.py -p capture.pcap
python2 net-creds.py -i eth0

# Extract NTLM hashes with NTLMRawUnHide
# https://github.com/mlgualtieri/NTLMRawUnHide
python3 NTLMRawUnHide.py -i capture.pcap

# Wireshark manual extraction
# Filter: ntlmssp
# Look for NTLMSSP_AUTH messages
# Right-click -> Export packet bytes
```

## Encrypted traffic analysis

```bash
# Decrypt TLS with pre-master secret (if you have SSLKEYLOGFILE)
tshark -r capture.pcap -o "tls.keylog_file:sslkeys.log" -Y "http"

# Wireshark: Edit -> Preferences -> Protocols -> TLS -> (Pre)-Master-Secret log filename

# Identify encrypted protocols without decryption
tshark -r capture.pcap -Y "tls.handshake.type == 1" -T fields -e tls.handshake.extensions_server_name

# JA3/JA3S fingerprinting for TLS client identification
# https://github.com/salesforce/ja3
tshark -r capture.pcap -Y "tls.handshake.type == 1" -T fields -e tls.handshake.ja3

# Detect potential C2 traffic patterns
tshark -r capture.pcap -z io,stat,60,"COUNT(frame)frame"  # Check for beaconing intervals
```

## Network forensics

```bash
# Extract all files from pcap
# https://github.com/xplico/xplico
# https://www.netresec.com/?page=NetworkMiner

# Reconstruct sessions
tcpflow -r capture.pcap -o output_dir

# Find cleartext passwords
strings capture.pcap | grep -i "pass\|pwd\|login\|user"

# Carve files from network traffic
foremost -i capture.pcap -o carved_files
binwalk -e capture.pcap
```