Traffic Analysis

Accounting Traffic


# Reset counters and iptables rules
iptables -Z && iptables -F

# Measure incoming traffic from lab machine
iptables -I INPUT 1 -s -j ACCEPT

# Measure outgoing traffic to lab machine
iptables -I OUTPUT 1 -d -j ACCEPT
watch -n 1 iptables -nvL

Using a Capture

aircrack-ng captured.cap


PCAP Samples:

PA Toolkit (Pentester Academy Wireshark Toolkit)

PA Toolkit is a collection of traffic analysis plugins to extend the functionality of Wireshark from a micro-analysis tool and protocol dissector to the macro analyzer and threat hunter.

Sample Captures:



Supported network interfaces

tshark -D

Sniff on eth0

tshark -i eth0

Open pcap

tshark -r HTTP_traffic.pcap

Read 100 packets from pcap

tshark -r HTTP_traffic.pcap -c 100

Print full details for first 10 Packets

tshark -r HTTP_traffic.pcap -c 10 -V

List of protocols in pcap

tshark -r HTTP_traffic.pcap -z io,phs -q

Export into PDML

tshark -r HTTP_traffic.pcap  -T pdml > http.xml


xsltproc /usr/share/wireshark/pdml2html.xsl http.xml > http.html


Only the HTTP traffic

tshark -Y 'http' -r HTTP_traffic.pcap

IP packets sent from IP address to

tshark -r HTTP_traffic.pcap -Y "ip.src== && ip.dst=="

Packets containing GET requests

tshark -r HTTP_traffic.pcap -Y "http.request.method==GET"

Print only source IP and URL for all GET request packets

tshark -r HTTP_traffic.pcap -Y "http.request.method==GET" -Tfields -e frame.time -e ip.src -e http.request.full_uri

Packets contain the "password" string

tshark -r HTTP_traffic.pcap -Y "http contains password

Destination IP for GET requests sent to New York Times (

tshark -r HTTP_traffic.pcap -Y "http.request.method==GET &&" -Tfields -e ip.dst

Session ID being used by for Amazon India store (

tshark -r HTTP_traffic.pcap -Y "ip contains && ip.src==" -Tfields -e ip.src -e http.cookie

Type of OS is using

tshark -r HTTP_traffic.pcap -Y "ip.src== && http" -Tfields -e http.user_agent


Only show SSL traffic?

tshark -r HTTPS_traffic.pcap -Y 'ssl'

Only print the source IP and destination IP for all SSL handshake packets

tshark -r HTTPS_traffic.pcap -Y "ssl.handshake" -Tfields -e ip.src -e ip.dst

List issuer name for all SSL certificates exchanged

tshark -r HTTPS_traffic.pcap -Y "ssl.handshake.certificate" -Tfields -e x509sat.printableString

Print the IP addresses of all servers accessed over SSL

tshark -r HTTPS_traffic.pcap -Y "ssl && ssl.handshake.type==1" -Tfields -e ip.dst

IP addresses associated with Ask Ubuntu servers (

tshark -r HTTPS_traffic.pcap -Y "ip contains askubuntu"

The IP address of the user who interacted with with Ask Ubuntu servers (

tshark -r HTTPS_traffic.pcap -Y "ip.dst== || ip.dst== || ip.dst== || ip.dst==" -Tfields -e ip.src

What DNS servers were used

tshark -r HTTPS_traffic.pcap -Y "dns && dns.flags.response==0" -Tfields -e ip.dst

Name of the antivirus solution

tshark -r HTTPS_traffic.pcap -Y "ip contains avast" -Tfields -e ip.src

Answer: Avast antivirus,,,


Show only WiFi traffic

tshark -r WiFi_traffic.pcap -Y "wlan"

View the deauthentication packets

tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c"

Display WPA handshake packets

tshark -r WiFi_traffic.pcap -Y "eapol"

Print the SSID and BSSID values for all beacon frames

tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==8" -Tfields -e wlan.ssid -e wlan.bssid

What is BSSID of SSID "LazyArtists"

tshark -r WiFi_traffic.pcap -Y "wlan.ssid==LazyArtists" -Tfields -e wlan.bssid

Channel of SSID "Home_Network"

tshark -r WiFi_traffic.pcap -Y "wlan.ssid==Home_Network" -Tfields -e

Devices that received deauth messages

tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c" -Tfields -e wlan.ra

Which device does MAC 5c:51:88:31:a0:3b belongs to

tshark -r WiFi_traffic.pcap -Y "wlan.ta==5c:51:88:31:a0:3b && http" -Tfields -e http.user_agent

Beacon frames present

tshark -r WiFi_traffic.pcap -Y 'wlan.fc.type_subtype == 0x0008'

Unique list of all AP BSSIDs

tshark -r WiFi_traffic.pcap -Y 'wlan.fc.type_subtype == 0x0008' -T fields -e wlan.bssid | sort  | uniq

Unique list of all AP SSIDs

tshark -r WiFi_traffic.pcap -Y 'wlan.fc.type_subtype == 0x0008' -T fields -e wlan.ssid | sort  | uniq

Only non-null SSIDs

tshark -r WiFi_traffic.pcap -Y 'wlan.fc.type_subtype == 0x0008 && !(wlan.tag.length ==0)' -T fields -e wlan.ssid | sort  | uniq

Unique list of SSID and BSSIDs side by side for all AP networks

tshark -r WiFi_traffic.pcap -Y 'wlan.fc.type_subtype == 0x0008' -T fields -e wlan.ssid -e wlan.bssid | sort  | uniq


Show VoIP traffic

tshark -r VoIP_traffic.pcap -Y "sip or rtp"

Print all REGISTER packets

tshark -r VoIP_traffic.pcap -Y "sip.Method==REGISTER"

Only print the source IP, sender extension and authorization digest response for REGISTER packets

tshark -r VoIP_traffic.pcap -Y "sip.Method==REGISTER" -Tfields -e ip.src -e sip.from.user -e sip.auth.digest.response

Print all codecs being used by RTP protocol

tshark -r VoIP_traffic.pcap -Y "sdp" -Tfields -e

User who is using the Zoiper VoIP client

tshark -r VoIP_traffic.pcap -Y "sip contains Zoiper" -Tfields -e ip.src

IP address of the SIP server used to place calls

tshark -r VoIP_traffic.pcap -Y "sip.Method==REGISTER" -Tfields -e ip.dst

Content of the text message sent to +918108591527?

tshark -r VoIP_traffic.pcap -Y "sip.Method == MESSAGE" -V             (Read the content)

Extensions completed a call successfully

tshark -r VoIP_traffic.pcap -Y "sip.Method==BYE" -Tfields -e sip.from.user -e


Netsh (Windows)

netsh trace show capturefilterhelp
netsh trace show scenarios
netsh trace show globalkeywordsandlevel

netsh trace start capture=yes IPv4.Address=
netsh trace start scenario=InternetClient,InternetServer,NetConnection globalLevel=win:Verbose capture=yes report=yes traceFile=C:\temp\trace\trace001.etl
netsh trace stop
- Use Microsoft Network Monitor 3.4 to view: - Convert to PAC from:

Use powershell to convert:

$s = New-PefTraceSession -Path C:\output\path\spec\OutFile.Cap -SaveOnStop
$s | Add-PefMessageProvider -Provider C:\input\path\spec\Input.etl
$s | Start-PefTraceSession

tcpdump to show HTTP request/response headers

sudo tcpdump -A -s 10240 'tcp port 4080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | egrep --line-buffered "^........(GET |HTTP\/|POST |HEAD )|^[A-Za-z0-9-]+: " | sed -r 's/^........(GET |HTTP\/|POST |HEAD )/\n\1/g'
sudo stdbuf -oL -eL /usr/sbin/tcpdump -A -s 10240 "tcp port 4080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)" | egrep -a --line-buffered ".+(GET |HTTP\/|POST )|^[A-Za-z0-9-]+: " | perl -nle 'BEGIN{$|=1} { s/.*?(GET |HTTP\/[0-9.]* |POST )/\n$1/g; print }'


tcpdump -i eth1  -s 0 port not 22
tcpdump -i eth1  -s 0 port not 22 and port not 53
tcpdump -i eth1 port not 22 and host