Command examples¶
This is introduction of ipscap’s several command examples. You can understand some usage and features.
Basic Usage¶
$ sudo su -
# ipscap --help
usage: ipscap [-h] [--verbose {0,1,2,3}] [--debug] [--log {string}]
[--find {string}] [--find_mode [REGEX, MATCH, BINARY, HEX]]
[--port {int}] [--protocol [ICMP, TCP, UDP]] [--ip {string}]
[--condition {string}] [--tracking] [--stat_mode {0,1,2}]
[--stat_group {0,1,2}]
[--output [NONE, HEADER, TEXT, BINARY, BINARY_ALL, HEX, HEX_ALL, BASE64, BASE64_ALL, LINE]]
[--dumpfile {0,1,2}] [--timeout {float}] [--exclude_ssh]
[--web_port] [--general_port] [--force] [--version]
`ipscap` captures "ICMP, TCP, UDP" packets. It supports filtering by various conditions, dumping file, displaying statistics.
optional arguments:
-h, --help show this help message and exit
--verbose {0,1,2,3} Verbose mode. [Level - 1:TRACE_ERROR, 2:INFO, 3:DEBUG]
--debug `--debug` is equivalent to `--verbose=3`.
--log {string} Verbose log filename.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ipscap --exclude_ssh
Start capture packets...
Press `Ctrl + C` to stop.
Time: 2025-01-03 14:55:13.5109 / ~~~~~.5109, Passage number: 1
IP header: Version: 4, IP header length: 20, Total length: 55, TTL: 64, IP protocol: UDP[17]
UDP header: UDP header length: 8
Source: IP: 10.0.2.15 Port: 36305
Destination: IP: 8.8.8.8 Port: 53
Direction: SEND [ >>> ]
Data length: 27 byte
IP-H data: 45 00 00 37 e4 3b 40 00 40 11 3a 5c 0a 00 02 0f 08 08 08 08
UDP-H data: 8d d1 00 35 00 23 1c 53
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Filter port¶
Filter 80 port
--portoption filter receive or send packets.
# ipscap --port=80
Time: 2025-01-02 14:59:45.9329 / ~~~~~~~~.932, Passage number: 3
IP header: Version: 4, IP header length: 20, Total length: 316, TTL: 64, IP protocol: TCP[6]
TCP header: TCP header length: 20, Sequence: 1536002, Acknowledgement: 844367953, Window: 65535, Flags: ['PSH', 'ACK']
TCP options: -
Source: IP: 74.6.231.20 Port: 80
Destination: IP: 10.0.2.15 Port: 51196
Direction: RECEIVE [ <<< ]
Data length: 276 byte
IP-H data: 45 00 01 3c 00 c0 00 00 40 06 3b d3 4a 06 e7 14 0a 00 02 0f
TCP-H data: 00 50 c7 fc 00 17 70 02 32 54 08 51 50 18 ff ff 52 a4 00 00
HTTP/1.1 301 Moved Permanently
Date: Sun, 12 Jan 2025 05:59:37 GMT
Connection: keep-alive
Server: ATS
Cache-Control: no-store, no-cache
Filter 80 and 443 port
# ipscap --port=80,443
Time: 2025-01-02 14:58:14.3874 / ~~~~~~~~.3874, Passage number: 1
IP header: Version: 4, IP header length: 20, Total length: 44, TTL: 64, IP protocol: TCP[6]
TCP header: TCP header length: 24, Sequence: 1216001, Acknowledgement: 254560287, Window: 65535, Flags: ['SYN', 'ACK']
TCP options: mss:1460
Source: IP: 98.137.11.164 Port: 443
Destination: IP: 10.0.2.15 Port: 56118
Direction: RECEIVE [ <<< ]
Data length: 2 byte
IP-H data: 45 00 00 2c 00 a7 00 00 40 06 ff e9 62 89 0b a4 0a 00 02 0f
TCP-H data: 01 bb db 36 00 12 8e 01 0f 2c 48 1f 60 12 ff ff 5b 8a 00 00 02 04 05 b4
Filter except 22 port
# ipscap --condition="port!=22"
# ipscap --exclude_ssh
Filter port range
# ipscap --condition="port>=10000"
# ipscap --condition="port>=25; port <=3306"
Filter only dest port
# ipscap --condition="dest_port=80"
Filter only source port
# ipscap --condition="src_port=80"
Find and Find mode¶
TEXT
# ipscap --find="HTTP"
MATCH
# ipscap --find="http" --find_mode=MATCH
BINARY
# ipscap --find="\x05yahoo\x03com" --find_mode=BINARY --port=53
HEX
# ipscap --find="45 00 00 37" --find_mode=HEX
Filter protocol¶
UDP
# ipscap --protocol=UDP
ICMP
# ipscap --protocol=ICMP
TCP & ICMP
# ipscap --protocol="TCP,ICMP"
ALL
# ipscap --protocol=ALL
Condition¶
# ipscap --condition="port!=22"
# ipscap --condition="client_port=80"
# ipscap --condition="src_port=80;dest_port<=30000;ttl=64"
# ipscap --condition="flags=SYN,PSH"
# ipscap --condition="sack=1;window>1000"
# ipscap --condition="wscale>1"
Tracking¶
# ipscap --find="HTTP" --tracking
Time: 2025-01-12 22:42:42.3306 / ~~~~~~~~~.3306, Passage number: 1
IP header: Version: 4, IP header length: 20, Total length: 114, TTL: 64, IP protocol: TCP[6]
TCP header: TCP header length: 20, Sequence: 3663095182, Acknowledgement: 1344002, Window: 29200, Flags: ['PSH', 'ACK']
TCP options: -
Source: IP: 10.0.2.15 Port: 60694
Destination: IP: 142.251.222.14 Port: 80
Direction: SEND [ >>> ]
Data length: 74 byte
IP-H data: 45 00 00 72 eb 76 40 00 40 06 d5 f6 0a 00 02 0f 8e fb de 0e
TCP-H data: ed 16 00 50 da 56 65 8e 00 14 82 02 50 18 72 10 79 7d 00 00
GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: google.com
Accept: */*
Time: 2025-01-12 22:42:42.3315 / ~~~~~~~~~.3315, Passage number: 1
IP header: Version: 4, IP header length: 20, Total length: 40, TTL: 64, IP protocol: TCP[6]
TCP header: TCP header length: 20, Sequence: 1344002, Acknowledgement: 3663095256, Window: 65535, Flags: ['ACK']
TCP options: -
Source: IP: 142.251.222.14 Port: 80
Destination: IP: 10.0.2.15 Port: 60694
Direction: RECEIVE [ <<< ]
Data length: 6 byte
IP-H data: 45 00 00 28 00 4c 00 00 40 06 01 6c 8e fb de 0e 0a 00 02 0f
TCP-H data: 00 50 ed 16 00 14 82 02 da 56 65 d8 50 10 ff ff 87 0f 00 00
Time: 2025-01-12 22:42:42.4078 / ~~~~~~~~~.4078, Passage number: 2
IP header: Version: 4, IP header length: 20, Total length: 813, TTL: 64, IP protocol: TCP[6]
TCP header: TCP header length: 20, Sequence: 1344002, Acknowledgement: 3663095256, Window: 65535, Flags: ['PSH', 'ACK']
TCP options: -
Source: IP: 142.251.222.14 Port: 80
Destination: IP: 10.0.2.15 Port: 60694
Direction: RECEIVE [ <<< ]
Data length: 773 byte
IP-H data: 45 00 03 2d 00 4d 00 00 40 06 fe 65 8e fb de 0e 0a 00 02 0f
TCP-H data: 00 50 ed 16 00 14 82 02 da 56 65 d8 50 18 ff ff fc 38 00 00
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-87RMr0fpufi3bqueM4np7A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Sun, 12 Jan 2025 13:42:34 GMT
Expires: Tue, 11 Feb 2025 13:42:34 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
Time: 2025-01-12 22:42:42.4083 / ~~~~~~~~~.4083, Passage number: 2
IP header: Version: 4, IP header length: 20, Total length: 40, TTL: 64, IP protocol: TCP[6]
TCP header: TCP header length: 20, Sequence: 3663095256, Acknowledgement: 1344775, Window: 30147, Flags: ['ACK']
TCP options: -
Source: IP: 10.0.2.15 Port: 60694
Destination: IP: 142.251.222.14 Port: 80
Direction: SEND [ >>> ]
Data length: 0 byte
IP-H data: 45 00 00 28 eb 77 40 00 40 06 d6 3f 0a 00 02 0f 8e fb de 0e
TCP-H data: ed 16 00 50 da 56 65 d8 00 14 85 07 50 10 75 c3 79 33 00 00
Output mode¶
NONE
# ipscap --port=80 --output=NONE
> Nothing is displayed.
HEADER
# ipscap --port=80 --output=HEADER
Time: 2025-01-12 22:54:09.7662 / ~~~~~~~~~~..7662, Passage number: 3
IP header: Version: 4, IP header length: 20, Total length: 114, TTL: 64, IP protocol: TCP[6]
TCP header: TCP header length: 20, Sequence: 133034702, Acknowledgement: 1600002, Window: 29200, Flags: ['PSH', 'ACK']
TCP options: -
Source: IP: 10.0.2.15 Port: 60698
Destination: IP: 142.251.222.14 Port: 80
Direction: SEND [ >>> ]
Data length: 74 byte
IP-H data: 45 00 00 72 fe 8b 40 00 40 06 c2 e1 0a 00 02 0f 8e fb de 0e
TCP-H data: ed 1a 00 50 07 ed f2 ce 00 18 6a 02 50 18 72 10 79 7d 00 00
Time: 2025-01-12 22:54:09.7679 / ~~~~~~~~~~..7679, Passage number: 2
IP header: Version: 4, IP header length: 20, Total length: 40, TTL: 64, IP protocol: TCP[6]
TCP header: TCP header length: 20, Sequence: 1600002, Acknowledgement: 133034776, Window: 65535, Flags: ['ACK']
TCP options: -
Source: IP: 142.251.222.14 Port: 80
Destination: IP: 10.0.2.15 Port: 60698
Direction: RECEIVE [ <<< ]
Data length: 6 byte
IP-H data: 45 00 00 28 00 5a 00 00 40 06 01 5e 8e fb de 0e 0a 00 02 0f
TCP-H data: 00 50 ed 1a 00 18 6a 02 07 ed f3 18 50 10 ff ff e4 30 00 00
BINARY
# ipscap --port=80 --output=BINARY
Time: 2025-01-12 22:55:07.3860 / ~~~~~~~~~~..3860, Passage number: 3
IP header: Version: 4, IP header length: 20, Total length: 114, TTL: 64, IP protocol: TCP[6]
TCP header: TCP header length: 20, Sequence: 231131098, Acknowledgement: 1728002, Window: 29200, Flags: ['PSH', 'ACK']
TCP options: -
Source: IP: 10.0.2.15 Port: 60700
Destination: IP: 142.251.222.14 Port: 80
Direction: SEND [ >>> ]
Data length: 74 byte
IP-H data: 45 00 00 72 2a 86 40 00 40 06 96 e7 0a 00 02 0f 8e fb de 0e
TCP-H data: ed 1c 00 50 0d c6 c7 da 00 1a 5e 02 50 18 72 10 79 7d 00 00
b'GET / HTTP/1.1\r\nUser-Agent: curl/7.29.0\r\nHost: google.com\r\nAccept: */*\r\n\r\n'
HEX
# ipscap --port=80 --output=HEX
Time: 2025-01-12 22:54:09.7662 / ~~~~~~~~~~.7662, Passage number: 3
IP header: Version: 4, IP header length: 20, Total length: 114, TTL: 64, IP protocol: TCP[6]
TCP header: TCP header length: 20, Sequence: 133034702, Acknowledgement: 1600002, Window: 29200, Flags: ['PSH', 'ACK']
TCP options: -
Source: IP: 10.0.2.15 Port: 60698
Destination: IP: 142.251.222.14 Port: 80
Direction: SEND [ >>> ]
Data length: 74 byte
IP-H data: 45 00 00 72 fe 8b 40 00 40 06 c2 e1 0a 00 02 0f 8e fb de 0e
TCP-H data: ed 1a 00 50 07 ed f2 ce 00 18 6a 02 50 18 72 10 79 7d 00 00
47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 63 75 72 6c 2f 37 2e 32 39 2e 30 0d 0a 48 6f 73 74 3a 20 67 6f 6f 67 6c 65 2e 63 6f 6d 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 0d 0a
Time: 2025-01-12 22:54:09.7679 / ~~~~~~~~~~.7679, Passage number: 2
IP header: Version: 4, IP header length: 20, Total length: 40, TTL: 64, IP protocol: TCP[6]
TCP header: TCP header length: 20, Sequence: 160002, Acknowledgement: 133034776, Window: 65535, Flags: ['ACK']
TCP options: -
Source: IP: 142.251.222.14 Port: 80
Destination: IP: 10.0.2.15 Port: 60698
Direction: RECEIVE [ <<< ]
Data length: 6 byte
IP-H data: 45 00 00 28 00 5a 00 00 40 06 01 5e 8e fb de 0e 0a 00 02 0f
TCP-H data: 00 50 ed 1a 00 18 6a 02 07 ed f3 18 50 10 ff ff e4 30 00 00
00 00 00 00 00 00
BASE64
# ipscap --port=80 --output=BASE64
Time: 2025-01-22 22:55:07.3860 / ~~~~~~~~~~.2860, Passage number: 3
IP header: Version: 4, IP header length: 20, Total length: 114, TTL: 64, IP protocol: TCP[6]
TCP header: TCP header length: 20, Sequence: 1098, Acknowledgement: 28002, Window: 29200, Flags: ['PSH', 'ACK']
TCP options: -
Source: IP: 10.0.2.15 Port: 60700
Destination: IP: 142.251.222.14 Port: 80
Direction: SEND [ >>> ]
Data length: 74 byte
IP-H data: 45 00 00 72 2a 86 40 00 40 06 96 e7 0a 00 02 0f 8e fb de 0e
TCP-H data: ed 1c 00 50 0d c6 c7 da 00 1a 5e 02 50 18 72 10 79 7d 00 00
SFRUUC8xLjEgMzAxIE1vdmVkIFBlcm1hbmVudGx5DQpMb2NhdGlvbjogaHR0cDovL3d3dy5nb29nb ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ij5oZXJlPC9BPi4NCjwvQk9EWT48L0hUTUw+DQo=BASE64
LINE
# ipscap --port=80 --output=LINE
2025-01-11 22:57:43.6990, 1, 4, 20, 64, 60, TCP, 40, 2193112253, 0, 29200, ['SYN'], 0, 10.0.2.15:60702, 142.251.222.14:80, SEND, mss:1460;sack;timestamp:601968655;nop;wscale:7
2025-01-11 22:57:43.7241, 1, 4, 20, 64, 44, TCP, 24, 1856001, 2193112254, 65535, ['SYN', 'ACK'], 2, 142.251.222.14:80, 10.0.2.15:60702, RECEIVE, mss:1460
2025-01-11 22:57:43.7244, 2, 4, 20, 64, 40, TCP, 20, 2193112254, 1856002, 29200, ['ACK'], 0, 10.0.2.15:60702, 142.251.222.14:80, SEND, -
2025-01-11 22:57:43.7251, 3, 4, 20, 64, 114, TCP, 20, 2193112254, 1856002, 29200, ['PSH', 'ACK'], 74, 10.0.2.15:60702, 142.251.222.14:80, SEND, -
2025-01-11 22:57:43.7253, 2, 4, 20, 64, 40, TCP, 20, 1856002, 2193112328, 65535, ['ACK'], 6, 142.251.222.14:80, 10.0.2.15:60702, RECEIVE, -
2025-01-11 22:57:43.8116, 3, 4, 20, 64, 813, TCP, 20, 1856002, 2193112328, 65535, ['PSH', 'ACK'], 773, 142.251.222.14:80, 10.0.2.15:60702, RECEIVE, -
2025-01-11 22:57:43.8122, 4, 4, 20, 64, 40, TCP, 20, 2193112328, 1856775, 30147, ['ACK'], 0, 10.0.2.15:60702, 142.251.222.14:80, SEND, -
2025-01-11 22:57:43.8126, 5, 4, 20, 64, 40, TCP, 20, 2193112328, 1856775, 30147, ['FIN', 'ACK'], 0, 10.0.2.15:60702, 142.251.222.14:80, SEND, -
2025-01-11 22:57:43.8139, 4, 4, 20, 64, 40, TCP, 20, 1856775, 2193112329, 65535, ['ACK'], 6, 142.251.222.14:80, 10.0.2.15:60702, RECEIVE, -
2025-01-11 22:57:43.8341, 5, 4, 20, 64, 40, TCP, 20, 1856775, 2193112329, 65535, ['FIN', 'ACK'], 6, 142.251.222.14:80, 10.0.2.15:60702, RECEIVE, -
2025-01-11 22:57:43.8344, 6, 4, 20, 64, 40, TCP, 20, 2193112329, 1856776, 30147, ['ACK'], 0, 10.0.2.15:60702, 142.251.222.14:80, SEND, -
Dumpfile¶
# ipscap --port=80 --dumpfile=1
~~~~~~~~~~
************************************************************************************************************************
Captured Dump Logs
************************************************************************************************************************
Path: /path/dump_logs/
Files: 4
# ls -la ./dump_logs/
total 20
drwxr-xr-x 2 root root 228 Jan 10 23:03 .
dr-xr-x---. 19 root root 4096 Jan 10 23:03 ..
-rw-r--r-- 1 root root 773 Jan 10 23:03 tcp_10.0.2.15_60704_142.251.222.14_80_receive.dat
-rw-r--r-- 1 root root 74 Jan 10 23:03 tcp_10.0.2.15_60704_142.251.222.14_80_send.dat
-rw-r--r-- 1 root root 773 Jan 10 23:03 tcp_10.0.2.15_60706_142.251.222.14_80_receive.dat
-rw-r--r-- 1 root root 74 Jan 10 23:03 tcp_10.0.2.15_60706_142.251.222.14_80_send.dat
Grouping in statistics¶
# ipscap --port=80 --stat_group=1
~~~~~~~~~~~~~
*The following is the statistics for captured transfers only. If you'd like see to the statistics for all transfers, set`--stat_mode=2` option.
[TCP] 10.0.2.15 <-> 142.251.42.206 Port: 80
SEND: num: 18, unique: 3, size: 222
RECEIVE: num: 15, unique: 3, size: 2379
GROUPS: 3
[TCP] 10.0.2.15 <-> 142.250.199.110 Port: 80
SEND: num: 6, unique: 1, size: 74
RECEIVE: num: 5, unique: 1, size: 793
GROUPS: 1
[TCP] 10.0.2.15 <-> 142.251.222.14 Port: 80
SEND: num: 6, unique: 1, size: 74
RECEIVE: num: 5, unique: 1, size: 793
GROUPS: 1
Timeout¶
# ipscap --port=80 --timeout=10
Start capture packets...
`--timeout` option is enabled. The capture will stop 10.0 seconds automatically.