Packet Analyzing
Wireshark filters
Option
|
Filter
|
Source AND Destination MAC
|
wlan.sa==source_mac && wlan.da==dest_mac
|
DHCP4
|
bootp.option.type == 53
|
DHCP6
|
dhcpv6
|
Disassociation or Association request
|
wlan.fc.type_subtype==0x000a || waln.fc.type_subtype == 0x0000
|
Message type either DHCP Request OR DHCP Reply
|
bootp.type==2 || bootp.type==1
|
Management Frames , Control Frames, Data Frames
|
wlan.fc.type==0 , 1 , 2
|
Association Request , ... , Null QoS Data + CF ACK + CF Poll
|
wlan.fc.type_subtype==0 , .... , 47
|
TCPDUMP
Format: tcpdump -i <interface> -s <frame length, 0 for default len> -w <packets to file>
Example: tcpdump -i wan0 -s 0 -w snmpwan0.pcap
#) Experiment done by using tcpdump & nc command
- Start tcpdump to receive data
# tcpdump -i l2sd0.4093 udp port 8001 -w test_file
- Packet data in file
# ls -l test_file
-rw-r--r-- 1 root 0 8906 Jan 16 14:55 test_file
- tcpdump receives few UDP Datagrams (one as 8K and rest bytes in other datagram), with output as follow,
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on l2sd0.4093, link-type EN10MB (Ethernet), capture size 65535 bytes
17:33:35.980000 IP 192.168.254.254.34765 > 192.168.254.253.8001: UDP, length 8192
17:33:35.980000 IP 192.168.254.254.34765 > 192.168.254.253.8001: UDP, length 714
- Send file data using over a socket nc command
# nc -u 192.168.254.253 8001 < test_file