Wireshark

Filter where the source ip is not 192.168.1.1

Filter where the destination ip is not 192.168.1.1

Find packets with a string in them

frame contains <thing to search>

For example:

Resource: https://www.cellstream.com/reference-reading/tipsandtricks/431-finding-text-strings-in-wireshark-captures

Show hostnames

Go to View -> Name Resolution -> Check the box next to Resolve Network Addresses

Resource: https://unix.stackexchange.com/questions/390852/how-to-filter-by-host-name-in-wireshark

Filter TLS traffic

If you want to only show TLS v1.2 traffic, then you would run:

ssl.record.version == 0x0303

Versions:

• 0x0300 SSL 3.0
• 0x0301 TLS 1.0
• 0x0302 TLS 1.1
• 0x0303 TLS 1.2

Resource: https://security.stackexchange.com/questions/190532/filter-tls-in-wireshark-or-other-monitoring-tool

TCPDump

Filter on port 80

Filter on source port 80

Destination port 80

All traffic for 192.168.1.1

Save output

tcpdump tcp -w output.pcap

Resource: https://medium.com/swlh/introduction-to-tcpdump-635653f56177

Filter on service

In this case, we are filtering icmp traffic on the eth0 interface where the ICMP type field value is icmp-echo. We finish it with a full protocol decode (-vv) aka verbose output.

tcpdump -i eth0 icmp and icmp[icmptype]=icmp-echo -vv

Resources: http://alumni.cs.ucr.edu/~marios/ethereal-tcpdump.pdf http://www.networksorcery.com/enp/protocol/icmp/msg8.htm

Listen for traffic over port 389

tcpdump -i eth0 -nn port 389

Resource: https://hackertarget.com/tcpdump-examples/