Wireshark and TCPDump

TCP/IP五层回忆

see every router your packets pass through by using the  traceroute  tool.

ex： traceroute www.virginia.edu

Viewing Packets in Wireshark

 Here is the structure of a Wireshark filter:
[Protocol].[header/field] [operator: +,==,!=] [value]
ex：ip.src == 192.168.1.101

Wireshark also allows you to filter packets based on their content.

find packets that contain terms like password, email, or @virginia. You can search all TCP packets for the term login using the following filter:

ex：tcp contains login

Wireshark lets you reconstruct this data from a packet stream by
clicking a packet and selecting Follow ▶TCP Stream

 结果：

Port 80 is almost always used for HTTP communication, whereas port 443 is commonly used for encrypted HTTPS traffic.

在pfSense主机上，进入shell

输入tcpdump命令，结果解释如下

 capture only TCP packets on port 443

ex：        tcpdump tcp port 443 -n

Instead of displaying the packets in the terminal, you also can write them to a file that you then can analyze in Wireshark:
tcpdump -i <interface> -s <number of packets to capture> -w <file.pcap>
for instance ：em0 interface

Once you’ve collected the data, you can view the file in Wireshark. Analyzing these traces can often be very tedious.
Online tools like https://packettotal.com will analyze .pcap files for you and flag suspicious activity.
 

log in to pf Sense by entering the router’s IP address into the URL bar. 

username admin and password pfsense

进入后是可以做配置的，如DNS（我在命令行写了半天，原来有Web界面的）

Click Status and select Dashboard from the drop-down menu.

For example, click the plus icon and select Traffic graphs to add a real-time traffic graph. 

exercise：

Download the Wireshark capture of our ARP spoofing attack
(arpspoof.pcap) from this book’s Git Hub page at
https://github.com/The-Ethical-Hacking-Book/ARP-pcap-files. 

find other packet captures to analyze by visiting
https://www.netresec.com/index.ashx?page=Pcap Files/.