✦
Important Article toujours en cours de rédaction. Différentes options pour optimiser ses captures tcpdump Comment capturer uniquement les appels HTTP GET entrants sur le port 443 (Apache/NGINX) tcpdump -i enp0s8 -s 0 -A 'tcp dst port 443 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' Comment capturer tout le trafic (ou) requêtes HTTP GET entrantes tcpdump -i enp0s8 -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' Explication: tcp[((tcp[12:1] & 0xf0) >> 2):4] détermine d’abord l’emplacement des octets qui nous intéressent (après l’en-tête TCP), puis sélectionne les 4 octets avec lesquels nous souhaitons faire correspondre.
✦
TCPDUMP Filters A tcpdump(8) filter to capture all packets that are # SSLv2, SSLv3, or TLS < 1.2
Assuming that all has been copied in a sile named ‘sslfilter’ Only the last line is useful, all the comments are only for understanding.
sudo tcpdump "$(grep -v '^#' sslfilter)" or
tcpdump -i vmx0 -s 1500 "`grep -v '^#' sslfilter`" -nnXSs0 -ttt # A tcpdump(8) filter to capture all packets that are # SSLv2, SSLv3, or TLS < 1.
✦
Wireshark Filters Intro This document is meant to serve as a quick reference for points of interest in IP, TCP, UDP and ICMP headers. I cobbled the information from a variety of sources, all listed at the bottom of this page. This information will (hopefully) be useful to people building filters for network tools that use BPF, such as tcpdump or snort. I was moved to collect all of this stuff in one place after completing “Intrusion Detection In-Depth” at a recent SANS conference.
