[{"data":1,"prerenderedAt":129},["ShallowReactive",2],{"posts-doc:/posts/tcpdumping":3},{"id":4,"title":5,"body":6,"date":113,"description":114,"extension":115,"img":116,"meta":117,"navigation":118,"path":119,"seo":120,"stem":121,"tags":122,"type":127,"__hash__":128},"posts/posts/TCPDumping.md","TCPDumping",{"type":7,"value":8,"toc":110},"minimark",[9,36,46,60,66,77,83,97,103],[10,11,12,13,17,18,20,21,24,25,28,29,32,33],"p",{},"Hey, someone on the blue team just sent a ",[14,15,16],"code",{},".pcap"," file saying someone let a port scanner running. I know, I know, it's strange someone sending a ",[14,19,16],{}," file thirty minutes after we start the work, but hey, you wanted to work as cybersecurity professional, right? So ",[14,22,23],{},"tcmpdump"," that thing. We need to extract as much information as possible including the ",[14,26,27],{},"IP protocol",", so use ",[14,30,31],{},"-v"," and ",[14,34,35],{},"-n",[37,38,43],"pre",{"className":39,"code":41,"language":42},[40],"language-text","bud@myawesomepc:~/Documents$ sudo tcpdump -vnr portscanlog.pcap\nreading from file portscanlog.pcap, link-type EN10MB (Ethernet), snapshot length 65535\n17:33:12.681940 IP (tos 0x0, ttl 64, id 2822, offset 0, flags [DF], proto TCP (6), length 60)\n    192.168.0.104.39907 > 173.45.93.20.0: Flags [S], cksum 0x2e02 (correct), seq 4094602155, win 29200, options [mss 1460,sackOK,TS val 5349549 ecr 0,nop,wscale 6], length 0\n17:33:12.964000 IP (tos 0x0, ttl 52, id 1617, offset 0, flags [none], proto TCP (6), length 40)\n    173.45.93.20.0 > 192.168.0.104.39907: Flags [R.], cksum 0xa8df (correct), seq 0, ack 4094602156, win 0, length 0\n17:33:12.964593 IP (tos 0x0, ttl 64, id 32671, offset 0, flags [DF], proto TCP (6), length 60)\n...\n","text",[14,44,41],{"__ignoreMap":45},"",[10,47,48,49,51,52,55,56,59],{},"Oh, okay. Didn't think it would be a large ",[14,50,16],{},". Sure, sure, run ",[14,53,54],{},"cut"," it to extract only the ",[14,57,58],{},"source IPs",". Maybe that will help narrow down if it was really a port scanner and not a desperate client.",[37,61,64],{"className":62,"code":63,"language":42},[40],"bud@myawesomepc:~/Documents$ sudo tcpdump -vnr portscanlog.pcap | cut -d \" \" -f5 | grep -v \"ttl\" | sort -u\nreading from file portscanlog.pcap, link-type EN10MB (Ethernet), snapshot length 65535\n173.45.93.20.0\n173.45.93.20.1\n173.45.93.20.10\n173.45.93.20.100\n173.45.93.20.101\n173.45.93.20.102\n173.45.93.20.103\n173.45.93.20.104\n...\n192.168.0.104.33029\n192.168.0.104.33070\n192.168.0.104.33094\n192.168.0.104.33231\n192.168.0.104.33594\n192.168.0.104.33809\n192.168.0.104.34308\n192.168.0.104.34476\n192.168.0.104.34527\n192.168.0.104.34670\n...\n",[14,65,63],{"__ignoreMap":45},[10,67,68,69,72,73,76],{},"Okay, that's interesting. This address, ",[14,70,71],{},"192.168.0.104",", isn't from any specific server. This is what I'm thinking? Filter the source address with this ",[14,74,75],{},"IP"," just to make sure.",[37,78,81],{"className":79,"code":80,"language":42},[40],"bud@myawesomepc:~/Documents$ sudo tcpdump -vnr portscanlog.pcap src host 192.168.0.104 | cut -d \",\" -f1\nreading from file portscanlog.pcap, link-type EN10MB (Ethernet), snapshot length 65535\n192.168.0.104.39907 > 173.45.93.20.0: Flags [S]\n192.168.0.104.38027 > 173.45.93.20.1: Flags [S]\n192.168.0.104.49051 > 173.45.93.20.2: Flags [S]\n192.168.0.104.43663 > 173.45.93.20.3: Flags [S]\n192.168.0.104.34527 > 173.45.93.20.4: Flags [S]\n192.168.0.104.58368 > 173.45.93.20.5: Flags [S]\n192.168.0.104.54181 > 173.45.93.20.6: Flags [S]\n192.168.0.104.58142 > 173.45.93.20.7: Flags [S]\n192.168.0.104.49859 > 173.45.93.20.8: Flags [S]\n192.168.0.104.35458 > 173.45.93.20.111: Flags [.]\n...\n",[14,82,80],{"__ignoreMap":45},[10,84,85,86,88,89,92,93,96],{},"Yeah, my suspicious was right. This ",[14,87,75],{}," tried scanning ",[14,90,91],{},"173.45.93.20"," for any open port. Which ones they get it right tho? I'll assume they aren't doing a stealth scan, so try filtering by the ",[14,94,95],{},"FIN"," flag",[37,98,101],{"className":99,"code":100,"language":42},[40],"bud@myawesomepc:~/Documents$ sudo tcpdump -vnr portscanlog.pcap src host 192.168.0.104 | cut -d \",\" -f1 | grep -v \"tos\" | grep \"F\\.\"\nreading from file portscanlog.pcap, link-type EN10MB (Ethernet), snapshot length 65535\n    192.168.0.104.54614 > 173.45.93.20.21: Flags [F.]\n    192.168.0.104.44370 > 173.45.93.20.22: Flags [F.]\n    192.168.0.104.59491 > 173.45.93.20.53: Flags [F.]\n    192.168.0.104.47995 > 173.45.93.20.80: Flags [F.]\n    192.168.0.104.35458 > 173.45.93.20.111: Flags [F.]\n\n",[14,102,100],{"__ignoreMap":45},[10,104,105,106,109],{},"A simple server actually. I believe we have enough evidence that someone here was trying something and, judging by that ",[14,107,108],{},"rpcbind"," open port, I assume they succeeded. I'll inform the blue team to figure it out who has this address. Our job is done. You did good, Bud.",{"title":45,"searchDepth":111,"depth":111,"links":112},2,[],"2026-03-23","a wild .pcap appears","md",null,{},true,"/posts/tcpdumping",{"title":5,"description":114},"posts/TCPDumping",[123,124,125,126],"Linux","OffSec","tcpdump","Networking","Article","x54EZ8n0YhFPhcecfuvkSG2s7MGpT0vS83EPbjQUO18",1774877257580]