Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Capture
wireshark -i eth0
wireshark -i eth0 -k # Start capture immediately
wireshark -i eth0 -w capture.pcap # Save to file
CLI (tshark)
tshark -i eth0
tshark -i eth0 -w capture.pcap
tshark -r capture.pcap
Display Filters
By Protocol
http
dns
tcp
udp
smb
smb2
ftp
ssh
telnet
icmp
arp
By IP
ip.addr == 10.10.10.10
ip.src == 10.10.10.10
ip.dst == 10.10.10.10
!(ip.addr == 10.10.10.10)
By Port
tcp.port == 80
tcp.dstport == 443
udp.port == 53
By Flags
tcp.flags.syn == 1
tcp.flags.reset == 1
tcp.flags.fin == 1
tcp.flags.syn == 1 && tcp.flags.ack == 0 # SYN only
Combine
ip.addr == 10.10.10.10 && tcp.port == 80
http.request.method == "POST"
http.response.code == 200
dns.qry.name contains "target"
Capture Filters (BPF)
Applied before capture (less CPU):
host 10.10.10.10
port 80
src host 10.10.10.10
dst port 443
net 10.10.10.0/24
tcp port 80 and host 10.10.10.10
Follow Streams
Right-click packet → Follow → TCP/UDP/HTTP Stream.
tshark
tshark -r capture.pcap -z follow,tcp,ascii,0
HTTP Auth
FTP
ftp.request.command == "USER" || ftp.request.command == "PASS"
Telnet
Follow TCP stream to see plaintext credentials.
SMB
SMTP
smtp.req.command == "AUTH"
Export Objects
File → Export Objects → HTTP/SMB/FTP/TFTP.
tshark
tshark -r capture.pcap --export-objects http,./exported/
tshark -r capture.pcap --export-objects smb,./exported/
Statistics
- Statistics → Endpoints (top talkers)
- Statistics → Conversations (who talks to whom)
- Statistics → Protocol Hierarchy (protocol breakdown)
- Statistics → I/O Graphs (traffic over time)
Useful Filters
| Purpose | Filter |
|---|
| HTTP requests | http.request |
| POST data | http.request.method == "POST" |
| DNS queries | dns.flags.response == 0 |
| Failed logins | ftp.response.code == 530 |
| ARP requests | arp.opcode == 1 |
| ICMP | icmp |
| Cleartext creds | http.authbasic || ftp || telnet |
tshark One-Liners
# Extract HTTP URLs
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri
# Extract DNS queries
tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name
# Extract credentials
tshark -r capture.pcap -Y "http.authbasic" -T fields -e http.authbasic
Quick Reference
| Task | Filter/Command |
|---|
| Filter by IP | ip.addr == TARGET |
| HTTP POST | http.request.method == "POST" |
| Follow stream | Right-click → Follow → TCP Stream |
| Export files | File → Export Objects → HTTP |
| Credentials | http.authbasic, ftp, ntlmssp |