Security Decoder
Paste anything suspicious — JWT, hash, URL, domain, IP, PowerShell, JavaScript, email header, HTTP request, HTTP headers, Base64, hex, URL-encoded strings, log lines, and more. Format is detected automatically. All analysis is local — nothing leaves your browser.
Frequently asked questions
- How do I decode a JWT token online?
- Paste your JWT into the input and click Analyze. The tool auto-detects it, decodes header and payload, checks the algorithm (including dangerous
alg:none), validates expiry, and flags security issues — all locally in your browser. - How do I identify what type of hash I have?
- Paste the hash string. Security Decoder identifies MD5, SHA-1/224/256/384/512, NTLM, bcrypt, and argon2 by length and format. Includes a direct VirusTotal lookup link for file hashes.
- How do I decode a PowerShell encoded command?
- Paste the full command (e.g.
powershell -enc ...). The tool Base64-decodes the payload, reconstructs the script, and flags download cradles, LOLBins, AMSI bypass attempts, and obfuscation. - How do I analyze a suspicious phishing URL?
- Paste the URL. The analyzer checks for homoglyph characters, brand impersonation, tracking parameters, open redirects, and injection patterns — no server involved.
- Is it safe to paste sensitive data?
- Yes. All analysis is client-side JavaScript — nothing is sent to any server or stored. Shareable links use hash fragments (
#q=), which are never sent in HTTP requests or Referer headers.
Supported formats
Drop your log file here
or
CSV · JSON · NDJSON – max 50 MB
Supported log sources
Detection capabilities
Your browser doesn't support WebGPU — AI analysis requires Chrome 113+ or Edge 113+.
Copied! Paste it in claude.aiWhat gets checked
No patterns match your search.
ps aux Lists all running processes with owner, PID, CPU%, memory%, and full command line.
Example & explanation
ps aux | grep -v grep | grep -i 'python\|nc\|bash\|sh' Filters for common reverse shell or C2 tools. Remove -v grep to include all matches.
ps auxf Process tree view — shows parent-child relationships with indentation. Critical for tracing how a process was spawned.
Example & explanation
ps auxf | grep -A5 apache Shows apache and its child processes. A web server spawning a shell (sh, bash) is a classic webshell indicator.
ps aux --sort=-%cpu | head -20 Top 20 processes by CPU usage, highest first.
Example & explanation
ps aux --sort=-%cpu | head -20 Crypto miners, brute force tools and active reverse shells typically consume high CPU. Check owner column too — root-owned unknown processes are suspicious.
ls -la /proc/<PID>/exe Shows the real binary path a process is running from. Works even if the attacker renamed the process.
Example & explanation
ls -la /proc/1337/exe If exe points to /tmp/, /dev/shm/ or a deleted file (e.g. /tmp/evil (deleted)), that's a strong IOC. Combine with: cat /proc/1337/cmdline | tr '\0' ' '
cat /proc/<PID>/cmdline | tr '\0' ' ' Prints the full command line of a process including all arguments. Null bytes are replaced with spaces for readability.
Example & explanation
cat /proc/1337/cmdline | tr '\0' ' ' Reveals full arguments that ps may truncate. Useful for seeing encoded payloads passed as arguments to python, perl, bash etc.
ss -tulpn Lists all listening TCP/UDP ports with the process name and PID that owns each socket. Faster and more reliable than netstat.
Example & explanation
ss -tulpn | grep -v '127.0.0.1\|::1' Filters out localhost-only listeners, leaving only externally accessible ports. Unexpected listening ports (e.g. 4444, 31337) = likely backdoor.
ss -tapn | grep ESTABLISHED Shows all currently active (ESTABLISHED) TCP connections with process names and PIDs.
Example & explanation
ss -tapn | grep ESTABLISHED | awk '{print $5, $6}' | sort -u Prints remote IP:port + process. Look for connections to unusual IPs on ports like 4444, 1234, 8888 or unexpected outbound 443/80.
lsof -i Lists all open network connections across all processes. Correlates process, user, PID, protocol and remote address in one view.
Example & explanation
lsof -i TCP | grep -v LISTEN | grep -v '127.0.0' Shows established outbound TCP connections. The COMMAND column shows the process name — look for shells, scripting languages or unusual binaries making network calls.
lsof -i :<port> Shows which process owns a specific port — both listening and connected.
Example & explanation
lsof -i :4444 Port 4444 is Metasploit's default. Also check 1234, 31337, 8888, 9001 (Tor). If a process owns an unexpected port, note the PID and trace it with /proc/<PID>/exe.
ip route show Displays the routing table. Reveals unexpected routes that may indicate pivoting or traffic redirection.
Example & explanation
ip route show && ip rule show Attackers may add routes for lateral movement. Check for unexpected host routes or policy routing rules (ip rule show) that redirect traffic.
ss -tapn | grep -v '127.\|::1' | awk 'NR>1 && $1=="ESTAB"' One-liner: all external ESTABLISHED connections, skipping loopback. Clean output for rapid triage.
Example & explanation
ss -tapn | grep ESTAB | grep -v '127\|::1' | column -t column -t makes output readable. Look at the 5th column (remote address) — any unexpected public IPs with unusual ports are worth investigating.
find / -mtime -1 -type f 2>/dev/null Finds all files modified in the last 24 hours across the entire filesystem. The 2>/dev/null suppresses permission errors.
Example & explanation
find /etc /var /tmp /home /root -mtime -1 -type f 2>/dev/null | head -50 Narrow to interesting directories first. New files in /tmp, /var/www, /dev/shm or config changes in /etc are high priority.
ls -la /tmp/ /var/tmp/ /dev/shm/ Lists world-writable directories commonly used by attackers to stage payloads. These survive across processes but not always reboots.
Example & explanation
ls -lat /tmp/ /var/tmp/ /dev/shm/ | head -30 -t sorts by modification time, newest first. Executables in these directories are almost always malicious.
find / -perm -4000 -type f 2>/dev/null Finds all SUID binaries. SUID means the binary runs as its owner (often root) regardless of who executes it — a common privilege escalation vector.
Example & explanation
find / -perm -4000 -type f 2>/dev/null | sort Compare output against a known-good baseline. New or unexpected SUID binaries (especially in /tmp or /home) = likely backdoor or privesc tool.
lsof +L1 Lists open file descriptors with a link count less than 1 — i.e. files that have been deleted from disk but are still being read/written by a running process.
Example & explanation
lsof +L1 | grep -v '/proc\|/dev' Malware often deletes itself after launch to hide from file system scans while remaining in memory. lsof +L1 reveals these ghost processes.
find / -name '*.php' -newer /etc/passwd 2>/dev/null Finds PHP files newer than /etc/passwd — a quick webshell hunt using a stable reference timestamp.
Example & explanation
find /var/www -name '*.php' -newer /etc/passwd 2>/dev/null Replace .php with .jsp, .aspx, .py depending on the web stack. Check content of matches with: grep -l 'eval\|system\|exec\|passthru' <files>
w Shows currently logged-in users, their source IP/terminal, login time, idle time and what command they are running right now.
Example & explanation
w The FROM column shows the originating IP. An unexpected IP or an unusual command in the WHAT column (e.g. bash, nc, python) warrants immediate investigation.
last -n 50 Shows the 50 most recent login and logout events from /var/log/wtmp, including source IP, login time and duration.
Example & explanation
last -n 50 | grep -v 'reboot\|wtmp' Look for logins at unusual hours, from unknown IPs, or very short sessions (may indicate scripted access). last -F shows full timestamps.
lastb Shows failed login attempts from /var/log/btmp. Requires root access.
Example & explanation
lastb | awk '{print $3}' | sort | uniq -c | sort -rn | head -20 Counts failed attempts per IP address. High counts from a single IP = brute force. Many different IPs = credential stuffing or distributed spray.
cat ~/.bash_history Reads the bash command history for the current user. Attackers often forget to clear this or it may be partially cleared.
Example & explanation
cat /root/.bash_history; for u in /home/*; do echo "=== $u ==="; cat $u/.bash_history 2>/dev/null; done Check all users' history. Look for: wget/curl to external IPs, base64-encoded commands, nc/ncat/socat, python -c, privilege escalation commands.
grep ':0:' /etc/passwd Finds all accounts with UID 0 (root-level privilege). There should only be one: root itself.
Example & explanation
awk -F: '$3==0 {print $1, $3, $6, $7}' /etc/passwd Any UID 0 account other than root is a backdoor. Also check for accounts with no password (empty field 2 in /etc/shadow) or shell set to /bin/bash for service accounts.
crontab -l Lists the current user's cron jobs. Run as root to see root's cron. Common persistence mechanism.
Example & explanation
for u in $(cut -d: -f1 /etc/passwd); do echo "=== $u ==="; crontab -l -u $u 2>/dev/null; done Iterates all users' crontabs. Malicious entries often contain curl/wget to a C2, base64-encoded commands, or run scripts from /tmp.
ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.weekly/ Lists all system-wide cron jobs. Attackers with root access may drop files here for persistence.
Example & explanation
grep -r 'wget\|curl\|bash\|python\|nc\|/tmp' /etc/cron* 2>/dev/null Searches all cron config files for suspicious commands. Any entry pulling a script from the internet or running from /tmp is suspicious.
systemctl list-unit-files --type=service | grep enabled Lists all enabled systemd services — these start automatically on boot. A common persistence method is creating a malicious .service file.
Example & explanation
systemctl list-unit-files --type=service | grep enabled | grep -v '/lib/systemd\|/usr/lib' Look for services with unusual names or those in non-standard paths. Examine suspicious ones with: systemctl cat <service-name>
cat /etc/rc.local Legacy init script that runs at boot. Still present on many systems. Simple place to add persistent commands.
Example & explanation
cat /etc/rc.local; ls -la /etc/rc*.d/ 2>/dev/null Check for wget, curl, bash -i or similar. Also check /etc/init.d/ for custom init scripts.
grep 'Failed password' /var/log/auth.log | tail -50 Shows the 50 most recent failed SSH password authentication attempts.
Example & explanation
grep 'Failed password' /var/log/auth.log | grep -oP 'from \K[\d.]+' | sort | uniq -c | sort -rn | head -20 Extracts and counts source IPs. 10+ failures from one IP = brute force. Multiple IPs with few attempts each = credential spray or stuffing attack.
grep 'Accepted' /var/log/auth.log | tail -50 Shows successful SSH logins. After a brute force, check when the first Accepted login occurred from the attacking IP.
Example & explanation
grep 'Accepted' /var/log/auth.log | awk '{print $1,$2,$3,$9,$11}' | tail -30 Columns: month day time user source-IP. Cross-reference successful logins against known IPs and expected accounts.
journalctl -f Follows all systemd journal logs in real time — equivalent to tail -f but for the entire system.
Example & explanation
journalctl -f -p warning Adding -p warning filters to only show warnings and above (warning, error, critical, alert, emergency). Useful during live incident response to monitor what's happening now.
journalctl --since '1 hour ago' Shows all logs from the past hour. Use --since and --until for specific time windows.
Example & explanation
journalctl --since '2024-03-01 02:00:00' --until '2024-03-01 04:00:00' -p err Adjust the time window to match the suspected incident time. Adding -p err limits to errors. --output=json-pretty for machine-readable output.
grep 'sudo:' /var/log/auth.log | grep 'COMMAND' Shows all sudo command executions — who ran what as root and when.
Example & explanation
grep 'sudo:' /var/log/auth.log | grep 'COMMAND' | tail -30 Look for unusual commands, especially run by service accounts or web users. Privilege escalation often involves sudo -l then exploiting a permitted command.
uname -a Prints kernel version, hostname, OS and architecture. Use to identify the system and check for known kernel exploits.
Example & explanation
uname -a && cat /etc/os-release Cross-reference the kernel version against exploit databases. Old kernels (Linux 3.x, 4.x without patches) are commonly exploited for privilege escalation.
dmesg | grep -i 'error\|fail\|exploit\|attack' Searches kernel ring buffer for errors and anomalies. Can reveal hardware issues, driver problems or kernel-level exploits.
Example & explanation
dmesg | tail -100 Look for segfaults (possible exploit attempts), OOM killer events (may indicate resource exhaustion from malware), and unexpected USB device connections.
Get-Process | Select-Object Name, Id, Path, CPU | Sort-Object CPU -Descending Lists all processes with full binary path and CPU usage, sorted highest first. PowerShell equivalent of Task Manager.
Example & explanation
Get-Process | Select-Object Name, Id, Path, CPU | Sort-Object CPU -Descending | Where-Object {$_.Path -notlike '*System32*' -and $_.Path -ne $null} Filters out System32 processes to focus on non-Microsoft binaries. Processes with no Path are likely system kernel threads. Note processes running from unusual locations like C:\Users\, AppData or Temp.
Get-WmiObject Win32_Process | Select-Object Name, ProcessId, ExecutablePath, CommandLine Gets full command line for all processes including arguments. WMI provides more detail than Get-Process.
Example & explanation
Get-WmiObject Win32_Process | Where-Object {$_.CommandLine -match 'encoded|bypass|hidden|downloadstring|iex'} | Select-Object Name, ProcessId, CommandLine Searches for common PowerShell attack keywords in command lines. -enc/-encoded = base64 payload, bypass = AMSI/execution policy bypass, IEX/Invoke-Expression = code execution.
tasklist /v /fo csv Classic cmd.exe command listing all processes with verbose info in CSV format. Works without PowerShell.
Example & explanation
tasklist /svc /svc shows which Windows services are hosted in each svchost.exe instance. Multiple unusual services under one svchost is a red flag.
Get-NetTCPConnection -State Established | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess Lists all established TCP connections with PIDs. No process names — use OwningProcess to correlate with Get-Process.
Example & explanation
Get-NetTCPConnection -State Established | Where-Object {$_.RemoteAddress -notmatch '^(127\.|10\.|192\.168\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[01]\.|::1)'} | Select-Object RemoteAddress, RemotePort, OwningProcess, @{n='Process';e={(Get-Process -Id $_.OwningProcess -EA SilentlyContinue).Name}} Filters out RFC1918 (private) addresses and adds process name. Remaining connections are to public IPs — review any on unusual ports.
netstat -b -n -o Classic netstat with: -b (executable name), -n (numeric IPs, no DNS), -o (PID). Works in cmd.exe without PowerShell.
Example & explanation
netstat -b -n -o | findstr ESTABLISHED findstr filters to established connections. PID in last column — cross-reference with tasklist. Requires elevated (admin) prompt for -b flag.
Get-DnsClientCache | Select-Object Entry, Data, Type Shows the local DNS cache — all domains the machine has resolved recently. Reveals communication attempts even if connections are already closed.
Example & explanation
Get-DnsClientCache | Where-Object {$_.Type -eq 1} | Select-Object Entry, Data | Sort-Object Entry Type 1 = A records (IPv4). Look for DGA-style domains (random characters), known C2 domains, or unexpected cloud services. Cache survives connection closure.
Get-NetTCPConnection -State Listen | Select-Object LocalPort, OwningProcess, @{n='Process';e={(Get-Process -Id $_.OwningProcess).Name}} Lists all listening ports with process names. Quickly identifies unexpected bind shells or backdoor listeners.
Example & explanation
Get-NetTCPConnection -State Listen | Select-Object LocalPort, OwningProcess, @{n='Process';e={(Get-Process -Id $_.OwningProcess -EA SilentlyContinue).Name}} | Sort-Object LocalPort Sort by port for easier review. Look for: high numbered ports (4444, 1234, 9001) owned by powershell.exe or cmd.exe, or standard ports (80, 443) owned by unexpected processes.
Get-LocalUser | Select-Object Name, Enabled, LastLogon, PasswordLastSet Lists all local user accounts with status and last logon time. Reveals newly created accounts or dormant accounts that were re-enabled.
Example & explanation
Get-LocalUser | Where-Object {$_.Enabled -eq $true} | Select-Object Name, LastLogon, PasswordLastSet | Sort-Object LastLogon -Descending Focus on enabled accounts. A new account with a recent PasswordLastSet and no LastLogon is suspicious. Compare against expected user list.
Get-LocalGroupMember -Group 'Administrators' Lists all members of the local Administrators group. Attackers commonly add their backdoor account here.
Example & explanation
Get-LocalGroupMember -Group 'Administrators' | Select-Object Name, PrincipalSource, ObjectClass PrincipalSource shows Local vs. ActiveDirectory. Unexpected local accounts or domain accounts in this group are high-severity findings.
query user Shows currently logged-on users, their session ID, state (Active/Disc) and idle time. Works in cmd.exe.
Example & explanation
query user && query session Disc (disconnected) sessions can still be active. An attacker may have a disconnected RDP session. query session shows all sessions including services.
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 50 Retrieves the 50 most recent successful logon events (Event ID 4624). The most important event for tracking authentication.
Example & explanation
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 100 | Select-Object TimeCreated, @{n='User';e={$_.Properties[5].Value}}, @{n='LogonType';e={$_.Properties[8].Value}}, @{n='Source IP';e={$_.Properties[18].Value}} | Where-Object {$_.'Source IP' -ne '-' -and $_.'Source IP' -ne '::1'} | Format-Table -AutoSize LogonType 3=Network (SMB/file share), 10=RemoteInteractive (RDP), 8=NetworkCleartext (plain-text password over network). Filter for type 10 to find RDP logins.
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 100 Failed logon events (Event ID 4625). Essential for detecting brute force and credential spray attacks.
Example & explanation
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 1000 | Group-Object {$_.Properties[5].Value} | Sort-Object Count -Descending | Select-Object Count, Name | Head 20 Groups by target username and counts failures. Many failures against one account = brute force. Few failures across many accounts = password spray.
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -MaxEvents 50 Process creation events (Event ID 4688). Requires process auditing to be enabled. Shows what processes were launched, by whom, and from where.
Example & explanation
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -MaxEvents 200 | Select-Object TimeCreated, @{n='Process';e={$_.Properties[5].Value}}, @{n='Parent';e={$_.Properties[13].Value}}, @{n='User';e={$_.Properties[1].Value}} | Where-Object {$_.Process -match 'powershell|cmd|wscript|cscript|mshta|rundll32|regsvr32'} | Format-Table Filters for LOLBins (Living Off the Land Binaries) — legitimate Windows tools commonly abused by attackers. Focus on unusual parent processes (e.g. Word spawning PowerShell).
Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045} -MaxEvents 20 New service installation events (Event ID 7045). Attackers install malicious services for persistence and lateral movement (e.g. PsExec, Cobalt Strike).
Example & explanation
Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045} -MaxEvents 20 | Select-Object TimeCreated, @{n='Service';e={$_.Properties[0].Value}}, @{n='Path';e={$_.Properties[1].Value}}, @{n='Account';e={$_.Properties[4].Value}} Suspicious paths: services in C:\Users\, C:\Windows\Temp, C:\ProgramData. PsExec installs PSEXESVC. Check the account — LocalSystem is standard but unexpected accounts are suspicious.
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=1102} -MaxEvents 5 Security audit log cleared (Event ID 1102). This is a critical indicator of compromise — attackers clear logs to hide evidence.
Example & explanation
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=1102} -MaxEvents 5; Get-WinEvent -FilterHashtable @{LogName='System'; Id=104} -MaxEvents 5 ID 1102 = Security log cleared. ID 104 = System log cleared. The event captures WHO cleared the log (user account). Any log clearing during an incident is highly suspicious.
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4698} -MaxEvents 10 Scheduled task creation (Event ID 4698). Scheduled tasks are a primary persistence mechanism on Windows.
Example & explanation
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4698} -MaxEvents 20 | Select-Object TimeCreated, @{n='TaskName';e={$_.Properties[0].Value}}, @{n='User';e={$_.Properties[4].Value}} Check task names for suspicious patterns. Correlate with Get-ScheduledTask to see current state. Attackers often use random or system-like names to blend in.
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Queries the HKLM Run key — programs listed here start for ALL users at logon. Classic persistence location.
Example & explanation
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run; reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Check both HKLM (all users) and HKCU (current user). Look for entries pointing to %TEMP%, AppData, unusual paths or with encoded commands.
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v ImagePath Lists ImagePath values for all registered services. Reveals services pointing to unusual binaries.
Example & explanation
Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\*' | Where-Object {$_.ImagePath -match 'temp|users|appdata'} | Select-Object PSChildName, ImagePath PowerShell version filters for services running from suspicious paths. Legitimate services run from System32, Program Files or well-known vendor paths.
Get-WmiObject Win32_Service | Where-Object {$_.State -eq 'Running'} | Select-Object Name, PathName, StartMode, StartName Lists all running services with their binary path and the account they run as. WMI provides full paths unlike Get-Service.
Example & explanation
Get-WmiObject Win32_Service | Where-Object {$_.State -eq 'Running' -and $_.PathName -notmatch 'System32|SysWOW64|Program Files'} | Select-Object Name, PathName, StartName Filters out standard Windows paths to reveal non-Microsoft services. Any service running from a user directory or temp folder is immediately suspicious.
schtasks /query /fo LIST /v Lists all scheduled tasks with full verbose detail including run history, next run time, and the account they run as.
Example & explanation
schtasks /query /fo csv | ConvertFrom-Csv | Where-Object {$_.'Run As User' -ne 'N/A'} | Select-Object TaskName, 'Task To Run', 'Run As User' CSV output is easier to parse. Focus on tasks running as SYSTEM or Administrator with unusual commands. Look for PowerShell with encoded commands or scripts in temp directories.
!(arp || icmp || ssdp || mdns || llmnr || nbns || dhcp || igmp) Removes common network background noise: ARP, ICMP, multicast discovery protocols, DHCP and IGMP. What remains is usually more interesting.
Example & explanation
!(arp || icmp || ssdp || mdns || llmnr || nbns || dhcp || igmp) && ip Adding && ip removes non-IP traffic too. Apply this first when opening any PCAP — it typically removes 30-60% of packets instantly and makes real threats visible.
ip.addr == X.X.X.X Shows all traffic to or from a specific IP address (both directions). Replace X.X.X.X with the IP of interest.
Example & explanation
ip.addr == 10.0.0.50 && !dns Adding !dns removes DNS traffic so you can focus on application connections. Use ip.src == X.X.X.X or ip.dst == X.X.X.X to restrict to one direction.
ip.addr == X.X.X.X && ip.addr == Y.Y.Y.Y Shows only traffic between two specific hosts. Useful for investigating suspected lateral movement between two machines.
Example & explanation
ip.addr == 192.168.1.10 && ip.addr == 192.168.1.20 Shows all traffic in both directions between the two hosts. Apply on top of the noise reduction filter for cleaner results.
tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size <= 1024 Identifies SYN scan packets — the default Nmap scan type. Small window size and no ACK flag are the fingerprint.
Example & explanation
tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size <= 1024 Look at Statistics > Conversations to see the volume. A single source sending SYN to hundreds of ports/hosts in seconds = active reconnaissance. The source IP is your attacker.
tcp.flags == 0x000 Identifies NULL scan packets — all TCP flags are zero. Used for firewall evasion as some firewalls don't inspect packets with no flags.
Example & explanation
tcp.flags == 0x000 NULL scans are stealthier than SYN scans but still visible in packet captures. Most modern IDS/IPS detect them. Response of RST = port closed; no response = filtered or open.
tcp.flags.fin == 1 && tcp.flags.push == 1 && tcp.flags.urg == 1 Identifies XMAS scan packets — FIN, PUSH and URG flags all set simultaneously. Named for the lit-up flag pattern.
Example & explanation
tcp.flags.fin == 1 && tcp.flags.push == 1 && tcp.flags.urg == 1 XMAS scans don't work against Windows systems (Windows responds to all probes). If you see these, the attacker is targeting Linux/Unix systems or using a tool that doesn't adapt.
tcp.flags == 0x002 && !(ip.dst == 192.168.0.0/16) && tcp.dstport != 80 && tcp.dstport != 443 Finds outbound connection attempts (SYN) to public IPs on non-standard ports. Classic reverse shell and C2 beacon fingerprint.
Example & explanation
tcp.flags == 0x002 && !(ip.dst == 192.168.0.0/16) && !(ip.dst == 10.0.0.0/8) && tcp.dstport != 80 && tcp.dstport != 443 Adjust the RFC1918 exclusions to match your network. Remaining SYN packets to public IPs on ports like 4444, 1234, 4000, 8080 are high-priority IOCs.
tcp.port == 443 && !ssl && !tls Finds traffic on port 443 that is NOT actually TLS/SSL. Attackers tunnel C2 over port 443 to blend in, but without proper TLS it shows up as cleartext.
Example & explanation
tcp.port == 443 && !tls Legitimate HTTPS is always TLS. Any TCP 443 traffic that doesn't start with a TLS ClientHello is suspicious — could be raw HTTP, a custom protocol or a misconfigured C2.
tcp.port == 6667 || tcp.port == 6697 || tcp.port == 6660 IRC ports — older but still-used C2 channel for botnets. IRC-based C2 was dominant in the 2000s-2010s and still appears in commodity malware.
Example & explanation
tcp.port == 6667 || tcp.port == 6697 Very few legitimate IRC users remain. Any traffic on these ports from a corporate or server environment is almost certainly botnet C2. Look at the payload for JOIN/PRIVMSG commands.
tcp.len > 1400 && !(ip.dst == 192.168.0.0/16) && tcp.flags.push == 1 Finds large outbound TCP data segments going to public IPs. PSH flag means the sender is pushing data immediately — not buffering.
Example & explanation
tcp.len > 1400 && !(ip.dst == 192.168.0.0/16) && !(ip.dst == 10.0.0.0/8) && tcp.flags.push == 1 1400 bytes is near maximum TCP segment size. Sustained large segments to an external IP indicate bulk data transfer. Check Statistics > Endpoints to see total bytes per destination.
dns.qry.name matches ".{50,}" Finds DNS queries with domain names longer than 50 characters. DNS tunneling encodes data in subdomains, creating unusually long query names.
Example & explanation
dns.flags.response == 0 && dns.qry.name matches ".{50,}" DNS tunneling tools like dnscat2 or iodine encode data in subdomain labels. A legitimate FQDN rarely exceeds 50 chars total. 80+ characters = almost certainly tunneling.
icmp && data.len > 64 Finds ICMP packets with unusually large data payloads. Standard ping uses 32-56 bytes of data. Larger payloads may indicate ICMP tunneling.
Example & explanation
icmp.type == 8 && data.len > 100 ICMP type 8 = Echo Request (ping). Tools like ptunnel or icmptunnel can tunnel TCP over ICMP. Look for sustained ICMP traffic with identical payload sizes or sequential data.
http.request.method == "POST" && (frame contains "password" || frame contains "passwd" || frame contains "pass=") Hunts for plaintext credentials in HTTP POST requests. Any login form using HTTP (not HTTPS) sends credentials in cleartext.
Example & explanation
http.request.method == "POST" && frame contains "pass" Follow the TCP stream of any matches (right-click > Follow > TCP Stream) to see the full request including username. These are definitive credential exposures.
ftp.request.command == "PASS" Captures FTP password commands. FTP sends everything in plaintext including credentials.
Example & explanation
ftp.request.command == "USER" || ftp.request.command == "PASS" Shows both username (USER) and password (PASS) commands. FTP should never be used — if you see it in a capture, credentials are compromised and protocol needs to be replaced with SFTP.
ntlmssp Shows all NTLM authentication handshakes (NTLMSSP). Common in Windows environments for SMB, HTTP and other protocols.
Example & explanation
ntlmssp && smb2 NTLM hashes in captures can be cracked offline or relayed. If you see NTLM auth to external IPs or unexpected hosts, it may be an NTLM relay attack or credential coercion (Responder/PetitPotam).
smb2 Shows all SMBv2 traffic. SMB is the Windows file sharing protocol and the primary channel for lateral movement tools (PsExec, WMIExec, CrackMapExec, etc.).
Example & explanation
smb2 && !(ip.src == 192.168.1.1) Filter out expected file servers. Unexpected SMB connections between workstations (east-west) are a major lateral movement indicator. Check Statistics > Conversations for volume.
smb2.filename contains "ADMIN$" || smb2.filename contains "C$" || smb2.filename contains "IPC$" Detects access to Windows administrative shares. Legitimate admin tools and attack tools like PsExec both access these shares.
Example & explanation
smb2.filename contains "ADMIN$" || smb2.filename contains "PSEXESVC" PSEXESVC in the filename confirms PsExec usage. ADMIN$ and C$ access from unexpected sources indicates lateral movement. IPC$ alone is normal (used for RPC).
tcp.dstport == 3389 Filters all RDP (Remote Desktop Protocol) traffic. Lateral movement via RDP is common — attackers move between hosts using stolen credentials.
Example & explanation
tcp.dstport == 3389 && !(ip.src == <known_admin_ip>) RDP should only originate from known admin jump hosts or IT subnets. Workstation-to-workstation RDP is almost always lateral movement.
http && (frame contains "cmd.exe" || frame contains "powershell" || frame contains "/bin/sh" || frame contains "wget") Hunts for webshell commands in HTTP traffic. cmd.exe, PowerShell or shell commands in HTTP requests/responses = active webshell exploitation.
Example & explanation
http.request.uri contains "cmd=" || http.request.uri contains "exec=" || http.request.uri contains "system(" Look at the URI and POST body. Common webshell parameters: cmd, exec, command, c, shell, run. Follow TCP stream to see full interaction and extract the webshell.
http.user_agent == "" || http.user_agent contains "python" || http.user_agent contains "curl" || http.user_agent contains "sqlmap" Detects suspicious or tool-generated User-Agent strings. Empty UA = unusual. Known tool UAs = automated attack.
Example & explanation
http.user_agent matches "(?i)(sqlmap|nikto|nmap|dirbuster|hydra|metasploit|python-requests|go-http)" Case-insensitive match against common scanning tool signatures. Custom tools may use fake legitimate UAs — correlate with request patterns (many 404s, sequential URIs) to confirm scanning.
http.response.code >= 500 Shows HTTP 5xx server error responses. A burst of 500 errors may indicate an active exploit attempt triggering crashes or unexpected behavior.
Example & explanation
http.response.code >= 500 || (http.response.code >= 400 && http.response.code != 404) 404s are normal scanning noise. Focus on 500 (server errors), 403 (forbidden — may indicate successful path traversal to protected resources), and 401 (unauthorized — brute force).
tcpdump -i eth0 -w /tmp/capture.pcap Captures all traffic on eth0 and saves to a PCAP file for later analysis in Wireshark or other tools.
Example & explanation
tcpdump -i eth0 -w /tmp/cap-$(date +%Y%m%d-%H%M%S).pcap Timestamp in filename prevents overwrites if you run multiple captures. Use -C 100 to rotate files at 100MB, -G 3600 to rotate hourly. Always save to a separate volume if possible.
tcpdump -i any -n -w /tmp/all.pcap Captures traffic on ALL network interfaces simultaneously. -n suppresses DNS lookups for speed and to avoid generating DNS queries that appear in the capture.
Example & explanation
tcpdump -i any -n -s0 -w /tmp/all.pcap -s0 captures full packet size (default may truncate). Useful on multi-homed hosts or when you don't know which interface the traffic is on.
tcpdump -i eth0 -n host 10.0.0.1 Captures only traffic to or from a specific host. Combine with other filters to narrow scope.
Example & explanation
tcpdump -i eth0 -n src host 10.0.0.1 and not dst port 22 src host = only traffic FROM the host. dst host = only traffic TO the host. Adding not dst port 22 excludes SSH (your own session) to avoid capture noise.
tcpdump -i eth0 -n port 443 Captures traffic on a specific port. Useful for monitoring a single service.
Example & explanation
tcpdump -i eth0 -n 'port 80 or port 443 or port 8080 or port 8443' Capturing HTTP/HTTPS traffic. If you see plaintext data on port 443 (should be encrypted TLS), that's immediately suspicious.
tcpdump -i eth0 -n not port 22 Captures everything EXCEPT SSH. Essential when you are connected via SSH — without this, your own session dominates the capture.
Example & explanation
tcpdump -i eth0 -n 'not port 22 and not port 53 and not arp' Also excludes DNS and ARP to reduce noise. This is a good default starting filter for most triage captures via SSH.
tcpdump -i eth0 -n 'tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) == 0' Captures only TCP SYN packets (without ACK) — connection initiation packets. Useful for detecting scans and enumerating who is connecting to what.
Example & explanation
tcpdump -i eth0 -n 'tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) == 0' -c 500 -c 500 captures 500 packets then stops. High rate of SYN packets from a single source = port scan. From many sources to same port = DDoS/scan campaign.
tcpdump -r /tmp/capture.pcap -n Reads and displays a previously saved PCAP file. Combine with filters to analyze specific traffic.
Example & explanation
tcpdump -r /tmp/capture.pcap -n 'host 10.0.0.1 and port 4444' Apply same BPF filter syntax as live capture. Useful for quick CLI analysis when Wireshark is not available.
tcpdump -i eth0 -A -n 'tcp dst port 80' Captures HTTP traffic and prints the payload as ASCII. Lets you read HTTP request/response content directly in terminal.
Example & explanation
tcpdump -i eth0 -A -n 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' The complex filter shows only packets with data payload (not empty ACKs). -A prints ASCII, -X prints hex+ASCII side-by-side. Useful for spotting plaintext credentials or commands.
tcpdump -i eth0 -n port 53 Captures all DNS traffic. Essential for detecting DNS tunneling, domain generation algorithms (DGA) and C2 over DNS.
Example & explanation
tcpdump -i eth0 -n port 53 -A | grep -E '[A-Za-z0-9.-]{50,}' The grep filters for domain names longer than 50 characters — a reliable DNS tunneling indicator. Alternatively, save as PCAP and analyze DNS query lengths in Wireshark.
tcpdump -i eth0 -n -vvv icmp Captures ICMP traffic with verbose output. Used to detect ping sweeps, ICMP tunneling and network mapping.
Example & explanation
tcpdump -i eth0 -n icmp and 'icmp[icmptype] == icmp-echo' icmp-echo = ping requests. Rapid pings to many hosts = network discovery/sweep. Large ICMP payloads (> 100 bytes) = possible ICMP tunneling.
No commands match your search.