Traffic Capture

CLI-tools

tcpdump

tcpdump is a CLI tool used to capture and analyze network traffic in real time.

# Capture the HTTP-related traffic on the tun0 interface
sudo tcpdump -i tun0 port 80 -n -w http_traffic.pcap

tshark

tshark is the CLI version of Wireshark used to capture and analyze network traffic:

# Capture the HTTP-related traffic on the tun0 interface
sudo tshark -i tun0 -f "port 80" -n -w http_traffic.pcap

WireShark

We can analyze the .pcap files with WireShark using filters such as:

# HTTP traffic only
http
# HTTPS traffic (TLS/SSL)
ssl or tls
# SMB protocol traffic
smb || smb2
# LDAP traffic
ldap
# RDP traffic
tcp.port == 3389
# NTML authentication
ntlmssp
# Base64 encoded strings (common in HTTP headers)
frame contains "Basic "
# FTP credentials (user/pass)
ftp.request.command == "USER" || ftp.request.command == "PASS"
# HTTP POST requests (often contain data submission)
http.request.method == "POST"
# Kerberos tickets (useful for Kerberoasting)
kerberos
# IP addresses
ip.addr == 192.168.1.10
ip.dst == 192.168.1.10
ip.src == 192.168.1.10
# TCP traffic with data (non-empty payloads)
tcp.len > 0
# HTTP traffic on non-standard ports
http && tcp.port != 80

SQLi Example

The attack lasted ~8 minutes (Figure 1).

Figure 1: Duration of the SQLi attack.

The attack starts on line 13 (Figure 2).

Figure 2: The start of the SQLi attack.

By right-clicking the line and selecting Follow HTTP Stream (Figure 3), we can see the raw HTTP requests and that the attacker has entered 1=1 into the id parameter to test for SQLi (Figure 4).

Figure 3: Following the HTTP stream.

Figure 4: Inspecting the HTTP packets.