Using CDP (Cisco Discovery Protocol) to identify which switch and port you are plugged into:
#tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
Apache Requests in real time:
#tcpdump -i eth0 -s 1024 -l -A port 80|grep "Host:"
Create pcap file compatible with wireshark
tcpdump -nn -w tcpdump.pcap -s0 *rules*
Pipe remote tcpdump into local wireshark
tcpdump -nn -w - -s0 *rules* | nc -l 9999
nc remote.server.address 9999 | wireshark -k -S -i -
Filtering Packets based up TCP Flags
- URG = 32
- ACK = 16
- PSH = 8
- RST = 4
- SYN = 2
- FIN = 1
ALL SYN Packets
#tcpdump -i eth0 -s0 -S -nn -vvv 'tcp[13] & 2 != 0'
ALL SYNACK Packets
#tcpdump -i eth0 -s0 -S -nn -vvv 'tcp[13] & 18 != 0'
Only Packets with Evil Bit Set - Evil Bit
tcpdump -i eth0 -s0 -S -nn -vvv 'ip[6] & 128 != 0'
