Nmap

Network scanning tool for host discovery, port scanning, service detection, and OS detection.

Target Specification

  • IP range using -: 192.168.0.1-10 scans from 192.168.0.1 to 192.168.0.10
  • IP subnet using /: 192.168.0.1/24 scans the entire subnet
  • Hostname: Specify target by hostname (e.g., example.thm)

Host Discovery

  • -sL — List scan: lists targets without scanning
  • -sn — Ping scan: host discovery only, no port scanning
  • -Pn — Treat all hosts as online, scan hosts that appear to be down

Port Scanning

  • -sT — TCP connect scan: completes three-way handshake
  • -sS — TCP SYN scan: only first step of handshake (stealthier)
  • -sU — UDP scan: discovers UDP services
  • -F — Fast mode: scans 100 most common ports (instead of default 1000)
  • -p[range] — Specify port range (e.g., -p10-1024, -p- scans all ports)

Service & OS Detection

  • -O — OS detection: makes educated guess about target OS
  • -sV — Service version detection: identifies service versions
  • -A — Aggressive: enables OS detection, version scanning, and traceroute

Timing & Performance

  • -T<0-5> — Timing templates: paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), insane (5)
  • --min-parallelism <numprobes> and --max-parallelism <numprobes> — Control parallel probes
  • --min-rate <number> and --max-rate <number> — Control packet rate (packets/second)
  • --host-timeout <time> — Maximum time to wait for a target host

Output Formats

  • -oN <filename> — Normal output (human-friendly)
  • -oX <filename> — XML output
  • -oG <filename> — Grep-able output (useful for grep and awk)
  • -oA <basename> — Output in all major formats

tcpdump

Network packet capture and analysis tool for monitoring network traffic.

Basic Commands

  • tcpdump -i INTERFACE — Captures packets on a specific network interface
  • tcpdump -i any — Listen on all available interfaces
  • tcpdump -w FILE — Writes captured packets to a file
  • tcpdump -r FILE — Reads captured packets from a file
  • tcpdump -c COUNT — Captures a specific number of packets
  • tcpdump -n — Don't resolve IP addresses
  • tcpdump -nn — Don't resolve IP addresses and protocol numbers
  • tcpdump -v — Verbose display (can be increased with -vv and -vvv)

Examples

  • tcpdump -i eth0 -c 50 -v — Captures and displays 50 packets by listening on the eth0 interface, which is a wired Ethernet, and displays them verbosely.
  • tcpdump -i wlo1 -w data.pcap — Captures packets by listening on the wlo1 interface (the WiFi interface) and writes the packets to data.pcap. It will continue till the user interrupts the capture by pressing CTRL-C.
  • tcpdump -i any -nn — Captures packets on all interfaces and displays them on screen without domain name or protocol resolution.

Filtering Expressions

  • tcpdump host IP — Filters packets by IP address or hostname
  • tcpdump src host IP — Filters packets by source host
  • tcpdump dst host IP — Filters packets by destination host
  • tcpdump port PORT_NUMBER — Filters packets by port number
  • tcpdump src port PORT_NUMBER — Filters by source port
  • tcpdump dst port PORT_NUMBER — Filters by destination port
  • tcpdump PROTOCOL — Filters by protocol (ip, ip6, icmp, etc.)

Filtering Examples

  • tcpdump -i any tcp port 22 — Listens on all interfaces and captures TCP packets to or from port 22, i.e., SSH traffic.
  • tcpdump -i wlo1 udp port 123 — Listens on the WiFi network card and only show packets that use the UDP protocol and the port is 123, the Network Time Protocol (NTP).
  • tcpdump -i eth0 host example.com and tcp port 443 -w https.pcap — Will listen on eth0, the wired Ethernet interface and filter traffic exchanged with example.com that uses TCP and port 443. In other words, this command is filtering HTTPS traffic related to example.com.

Logical Operators

  • and — Captures packets matching both conditions (e.g., tcpdump host 1.1.1.1 and tcp)
  • or — Captures packets meeting either condition (e.g., tcpdump udp or icmp)
  • not — Captures all packets except those matching the condition (e.g., tcpdump not tcp)

Advanced Filtering

  • greater LENGTH — Filters packets with length greater than or equal to specified length
  • less LENGTH — Filters packets with length less than or equal to specified length
  • tcp[tcpflags] == tcp-syn — Capture TCP packets with only SYN flag set
  • tcp[tcpflags] & tcp-syn != 0 — Capture TCP packets with at least SYN flag set

TCP Flag Filtering Examples

  • tcpdump "tcp[tcpflags] == tcp-syn" — Captures TCP packets with only the SYN (Synchronize) flag set, while all the other flags are unset.
  • tcpdump "tcp[tcpflags] & tcp-syn != 0" — Captures TCP packets with at least the SYN (Synchronize) flag set.
  • tcpdump "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0" — Captures TCP packets with at least the SYN (Synchronize) or ACK (Acknowledge) flags set.

Display Options

  • tcpdump -q — Quick and quiet: brief packet information
  • tcpdump -e — Include MAC addresses
  • tcpdump -A — Print packets as ASCII encoding
  • tcpdump -xx — Display packets in hexadecimal format
  • tcpdump -X — Show packets in both hexadecimal and ASCII formats