| name | pentest-network |
| description | Network analysis, traffic capture, and MITM tool reference. Covers tshark/tcpdump (packet capture), hping3 (packet crafting), netcat/socat (connections), and on-demand tools (bettercap, ettercap, responder). Use for network traffic analysis, protocol inspection, and man-in-the-middle testing.
|
| version | 2.0.0 |
| triggers | ["network","traffic","packet capture","tshark","tcpdump","MITM","man in the middle","bettercap","ARP","sniffing","hping"] |
Network Analysis — Tool Reference
Tshark — Packet Capture & Analysis
Live Capture
tshark -i eth0 -c 100
tshark -i eth0 -f "host <target>" -c 200
tshark -i eth0 -Y "http" -c 100
tshark -i eth0 -Y "dns.qry.name" -c 50
tshark -i eth0 -f "tcp port 80" -c 200
tshark -i eth0 -Y "http.request.method == POST" -c 50
tshark -i eth0 -Y "ssl.handshake.type == 1" -c 50
tshark -i eth0 -Y "tcp.flags.syn == 1 && tcp.flags.ack == 0" -c 100
Save & Analyze
tshark -i eth0 -c 500 -w /tmp/capture.pcap
tshark -r /tmp/capture.pcap -Y "http.request"
tshark -r /tmp/capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri
tshark -r /tmp/capture.pcap -Y "http.request.method == POST" -T fields -e http.file_data
tshark -r /tmp/capture.pcap -z "follow,tcp,ascii,0"
tshark -r /tmp/capture.pcap -z "io,phs"
tshark -r /tmp/capture.pcap -z "conv,tcp"
tshark -r /tmp/capture.pcap --export-objects "http,/tmp/extracted"
tshark -r /tmp/capture.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name | sort -u
tshark -r /tmp/capture.pcap -Y "ftp.request.command == PASS || http.authorization" -T fields -e ftp.request.arg -e http.authorization
Tcpdump — Lightweight Packet Capture
tcpdump -i eth0 -c 100
tcpdump -i eth0 host <target> -c 200
tcpdump -i eth0 port 80 -c 100
tcpdump -i eth0 -w /tmp/capture.pcap -c 500
tcpdump -i eth0 -A -c 50
tcpdump -i eth0 -XX -c 50
tcpdump -i eth0 "host <target> and port 443" -c 100
tcpdump -i eth0 "src <target> and tcp" -c 100
tcpdump -i eth0 -n -c 200
tcpdump -i eth0 "tcp[tcpflags] & (tcp-syn) != 0" -c 100
Hping3 — Packet Crafting & Testing
Port Scanning
hping3 -S -p 80 <target>
hping3 -8 1-1000 -S <target>
hping3 -A -p 80 <target>
hping3 -F -p 80 <target>
Firewall Testing
hping3 --traceroute -V -S -p 80 <target>
hping3 -f -p 80 -S <target>
hping3 -S -p 80 -t 10 <target>
hping3 -S -p 80 --tcp-timestamp <target>
OS Fingerprinting
hping3 -S -p 80 -W <target>
hping3 -1 <target> -c 5
Stress Testing (authorized only)
hping3 -S --flood -V -p 80 <target>
hping3 -S --flood --rand-source -p 80 <target>
hping3 -S -p 80 -d 120 <target>
On-Demand Network Tools
Bettercap — Modern MITM Framework
bettercap
Ettercap — MITM Suite
ettercap -T -M arp:remote /<gateway>// /<target>//
ettercap -T -M arp:remote ///
ettercap -T -P dns_spoof -M arp:remote /<gateway>// /<target>//
ettercap -T -p
ettercap -T -L /tmp/ettercap_log -M arp:remote ///
Responder — LLMNR/NBT-NS Poisoner
responder -I eth0
responder -I eth0 -wF
responder -I eth0 -A
responder -I eth0 -v
Protocol-Specific Analysis
HTTP Traffic
tshark -i eth0 -Y "http.request" -T fields -e http.host -e http.request.uri -c 200
tshark -i eth0 -Y "http.request.method == POST" -T fields -e http.host -e http.request.uri -e http.file_data -c 50
tshark -i eth0 -Y "http.cookie" -T fields -e http.host -e http.cookie -c 50
DNS Traffic
tshark -i eth0 -Y "dns.flags.response == 0" -T fields -e dns.qry.name -c 100
tshark -i eth0 -Y "dns.flags.response == 1" -T fields -e dns.qry.name -e dns.a -c 100
SMB/Windows Traffic
tshark -i eth0 -Y "smb || smb2" -c 100
tshark -i eth0 -Y "smb2.cmd == 5" -T fields -e smb2.filename -c 50
tshark -i eth0 -Y "ntlmssp" -c 50
Tool Selection Guide
| Situation | Best Tool |
|---|
| Quick traffic capture | tcpdump -i eth0 -c 100 |
| Deep protocol analysis | tshark with display filters |
| Port scanning with evasion | hping3 -S -p <port> |
| Firewall detection | hping3 -A (ACK scan) |
| MITM on local network | bettercap (modern) or ettercap (classic) |
| Capture Windows hashes | responder -I eth0 |
| Extract HTTP credentials | tshark -Y "http.request.method == POST" |
| Monitor DNS resolution | tshark -Y "dns.qry.name" |
| Save for later analysis | tcpdump -w /tmp/cap.pcap then tshark -r |