# Tcpdump

## Capture your packets to prove your work

```
tcpdump -nnX tcp and dst $IP
tcpdump -nn udp and src $IP
tcpdump -nn tcp and port 80 and host $IP
tcpdump -nv -s0 -w /tmp/winauth.pcap port 445

sudo tcpdump -i loopback   ..to watch
sudo tail -f /var/log/auth.log
```

## tcpdump options:

* Switches:
  * -n machine names
  * -nn machine names and port
  * -v verbose ..overkill
  * -w write to file (but wont get to see on-screen)
  * -x hex output
  * -X hex and ASCII
  * -A Ascii only ..doesnt work in all versions
  * -s0 grab-everything .. more effective in older systems
* Wrap in Parentheses to group elements:
  * ether, ip, ip6, arp, rarp, tcp, udp
  * host, net, port, portrange
  * src, dst
  * and, or, not

## Wireshark Extracts

* File > Export Objects > HTTP Stream/Files
* Wireshark Audio:
  * Telephony > RTP (Real Time Protocol) > Streams > Select > Analyze
  * \> Play Multiple Streams, try each one!
* Audio dump
  * open file.pcap in wireshark/windows