Use tcpdump to Filter and Merge Multiple pcap Files

The other day I had a couple dozen pcap files (each just under 1 GB in size) that I wanted to filter the traffic of one host out of. A couple different options come to mind - merge the pcap files together and then filter, or filter each pcap separately and then merge the results together. Both of these are pretty sloppy ways of doing this if you don't do it in one line:

# mergecap -w /dev/stdout file1.pcap file2.pcap file3.pcap | tcpdump -r - -w output.pcap host 192.168.1.10

mergecap reads the list of files at the end as input and writes them out to /dev/stdout, where tcpdump reads them in and writes the result to output.pcap after applying the filter (host 192.168.1.10).

Single Line Base64 Decoder

If you have a chunk of Base64 encoded data and want to decode it, the quickest method is usually to find some online decoder. If you're worried about the sensitivity of the data or don't have access to a web browser or even the Internet you'll want to decode it locally.

To do this you'll need perl (should be installed on most linux distros). Given any file containing only Base64 encoded text, ex:

$ file base64_file
base64_file: ASCII text, with CRLF line terminators
$

The following command will decode the text:
(NOTE - the file must contain ONLY Base64 encoded text - any existing decoded data will break the process)

$ perl -MMIME::Base64 -e 'print decode_base64(join("",<>))' < base64_file >output
$ file output
output: HTML document, ASCII text, with CRLF line terminators
$

If done correctly the output file should contain the decoded data.

Legacy tcpdump - "Packet size limited during capture"

Was doing some debugging the other day on a legacy system with an older version of tcpdump installed. When I imported to packets to Wireshark in order to better interpret the results - I saw the familiar message "Packet size limited during capture":

You never realize there's a problem with a packet capture until after you've finished and shipped it somewhere else for analysis

It's then I remembered that older versions of tcpdump default to a snaplen of 68 bytes. In order to correct this you need to manually specify a longer snaplen. From the manpage of tcpdump 3.9.4:

-s   Snarf snaplen bytes of data from each packet rather than the default of 68 (with SunOS's NIT, the minimum is actually 96).  68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate protocol information from name server and NFS packets (see below).  Packets truncated because of a limited snapshot are indicated in the output with  ''[|proto]'', where proto is the name of the protocol level at which the truncation has occurred.  Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering.  This may cause packets to be lost.  You should limit snaplen to the smallest number that will capture the protocol information you're interested in.  Setting snaplen to 0 means use the required length to catch whole packets.

So in order to capture the whole packet, you need to set a snaplen of 0 using the option "-s 0":

~]# tcpdump -i eth0 -n -s 0 host 192.168.1.1

This would capture traffic (-i eth0) on the eth0 interface, (-n) not converting host addresses to names, (-s 0) capturing the entire packet, (host 192.168.1.1) where the packet is to/from a host with the IP 192.168.1.1.

Single Line Web Server in Python

This is an old trick, but very useful for transferring files in a pinch - especially in cross platform situations. Also great if you need a simple web server for testing.

The commands are simple.

For Python 2.x: python -m SimpleHTTPServer

[user@fedora folder1]$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...

For Python 3.x: python3 -m http.server

[user@fedora folder1]$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 ...

Both of these default to port 8000, but you can add a port number to the end of the line to specify something else if you like. The current directory is used as the root folder. If an index.html or index.htm file is present it will be served initially, otherwise the server will provide a directory listing. Just point your browser to the system:

http://<your-ip-address>:8000

Make sure your firewall/IP-tables are properly adjusted to allow the inbound connection.

The terminal will show a running Apache style access log of connections. CTRL + c to exit.

Performance is pretty good too:

Official documentation here:
https://docs.python.org/2/library/simplehttpserver.html
https://docs.python.org/3/library/http.server.html

Quick Decimal, Hex, Binary, Octal Conversion on Windows

Sometimes you just need a quick and dirty way to convert between number systems (decimal, hex, octal, binary). The built in Windows calculator will actually do this for you. Simply start the calculator and under "View" choose "Programmer".

This should switch to the Programmer calculator view. Set the mode to whatever number system you are converting from - it should default to Decimal, and enter the number.

From here you just select the number system you want to convert to.

The number auto updates to the new number system. Done, quick and easy.