Thanks Sven Glock‌ and I'm glad you like it!

Hey Sven Glock‌ - Thanks for the feedback! Those filters are already included in the tool. If you select "TCP Only" a sub-menu opens up where you can specify which flags you want to filter on. I've snipped the screenshots below for you (the second one just shows the output - it's not a real command). Let me know if you have any more feedback and I hope you find it useful!

Hi Sean, 

thanks for your fast reply!

I saw that filters, but I was not able to link "TCP only" with "tcpflags" - my mistake, sorry!

The implementation is good.

I will have a look for real improvments 

Cheers

Sven

Don't apologize - Even small things can be seen as improvements. If even one person has an issue, it could mean that other people have the issue as well. Would it be helpful if the "TCP Only" option were expanded to read "TCP Only (Including tcpflags)" or something like that?

Yes, this would be definitively helpful!

I have an other thing...

Once you are using multiple filters there is no possiblity to delete the first filter:

You can set it only to "none" but this will leave a relict in the command line:

Cheers

Sven

As I could not delete the first filter I tried to change it, but this caused serios problems and left the command unchanged:

Hey Sven Glock‌ - Man, you're a machine. The second item you pointed out seems to be a bug. It would seem that if you select an option and leave it blank then select "TCP Only" the previous error message persists and prevents you from using the "TCP Only" option. All other options work so I'll look into this as soon as I can. Once I fix it, I'll let everyone know.

With regards to the first item (not being able to delete the first filter) this is something I'm working on. It also ties into something that Phillip Runner‌ suggested about being able to add filters in above/below and in the middle of existing syntax. I'm basically looking at a total back-end rewrite to be able to support these features but it's something a lot of people have mentioned they want to see so I want to make it happen. Of course, this is going to take quite a while as it's a full re-write and I need to balance this with "real life".

Thanks again for the suggestions and feedback!

Hey Sven Glock‌ (and everyone else in the thread) - I've fixed the bug and modified "TCP Only" to "TCP Only (with tcpflags)" for the modules which support it (tcpdump and Fortinet). I've also given you credit for finding this in the .plan section of the tool and will be mentioning you on Twitter as well for this. Again, thanks to everyone for the feedback.

Check down on the bottom-most icon in the menu bar - The rubbish bin will reload the page for you and reset everything. Saves you from having to press Ctrl+F5. I know it has to perform a page reload but it's the easiest way instead of having to have a script which blanks all fields and resets everything. Also, there are some keyboard shortcuts so when you load the page and get the splash screen, press [ESC] and it will hide the splash page for you.

Ok, the root cause seems to be my 27" screen - the rubbish bin is too far away from the form it self 

Form my side: once you are working in a form you are only looking for features like this inside the form.

The sidebar suggests that the links on it do not belong to the form.

As the bin is the only one I did not exepect buttons in that menu belonging to the form.

So ,it would be nice the have the bin inside the form.

...but maybe I am a bit to oldschool 

Hahaha! Maybe I'll put a cookie in the page to track you and have the bin follow you around.

I think what I could do (when doing the re-work) is to have a "clear all filters" button pop up near the filters somewhere. Would that work for you in the future?

Yes, this would be helpful!

Hi Sean,

thanks for continuing to improve your tool.

I like the new facelift. 

Some thoughts:

• why have you removed file options like rotate, split etc?
• a lot of people do not know that they can use "any" as parameter for "-i" 
  Why not offering this as an radio button?
• I am not sure if this is a Check Point specific thing: I love the -P switch, which is showing interface names.
  This is very useful when using interface "any". So you can nicely see in and outgoining interface names.
• Output location: Save to file: on/off is easier to understand even for linux newbies than stdout.
• I am missing some plausibility tests 
  
  
• In the filters dropdown menu you can choose the menu seperators, which can be a bit confusing.
  
  
  Is it possible to present the menu seperators in a different look than the real filters (for example using bold font)?
• IPv4/6-Filters: It would be much easier only to select IPv4/6-Filter and have a radio button afterwards to select if it is for source/destionation or source and destination. More over it would be nice to have an automated detection of  net/hostname or IP (once there is a "/" it has to be a network and you have to add "net" - no "/" no "net" that is has to be hostname or single IP). This will additionally make the filters menu shorter and more clear.
  
• TCP-Flags: When you want to filter on packets that have SYN and ACK flags you have to define two seperate filters. Why not offering to select multiple flags by check box and building two seperate filters in the background?
  
  

Ok, I think that's enough for the beginning to fill you free time next weekend 

Regards

Sven

Hey Sven Glock‌ - Thanks so much for the helpful feedback!

For items 1 and 2 I just forgot about them, to be honest. I was rushing a little bit and, since I do this in my spare time, sometimes I forget where I left off or what I was working on. I'll put these back in since they're both pretty important to people.

Item 3 is covered in the "Information Only" option with the "-D" switch. This will show you all the interfaces you can run tcpdump on.

Item 4 I like the idea of "On/Off" and then maybe have a little item about printing to the screen versus saving to a file. I'll update this as well when I'm putting back the additional "Save to File" options.

For item 5, have you never seen a MAC address with 11:11:11:11:11:11:11:11:!1:$" before? Seriously though, those checks are currently in the works on my laptop - I just haven't pushed them to the public site yet. As for the "host" filter, as goofy as this sounds, it's possible that someone has "11111asdfasdf" as a hostname somewhere. I will be putting in some "guessing" checks for those but it's almost impossible to know what people can put in for those types of filter. For example, the following three items are all valid: 1.2.3.4, 2001:bad:c0de::1 and 1.2.3.4.com (IPv4, IPv6, host/domain name). I will be testing out some RegEx to see if I can get it to work properly but I may be left with just guessing. Stay tuned, though.

Item 6 is a bit more involved... You see, HTML select and option elements are not able to be styled by CSS as some other HTML DOM elements. The same thing goes for radio buttons and checkboxes. To be able to create a bold section title or have custom radio buttons (for example) would require a fair bit of coding since you have to hide the existing HTML <option> element, create new HTML/CSS for the custom look and then have a JavaScript caller to handle the events. But... And I'm not joking about this... While writing this out, you did give me an idea that may work. Instead of using an HTML select/option combination, I could create an HTML/CSS menu instead and use an onClick function on the spans to call the back-end JS. I'm going to try this out to see how easy it is to get working. Thanks for helping me think of a new (possible) solution, Sven.

I like the idea in item 7 about shortening the list by using radio buttons for src/dst. I will also try merging the host/net option by looking for the "/" character but I may keep host and net separate to make things a bit easier for new people. But I will give it a try and see how it goes.

For the last item, it's a good idea in theory but, personally, I think it may not work as well in practice. Here's what I'm thinking... We know that there are many useful combinations of TCP flags like SA or FA or even the old XMas tree scan with FPU set. But people who are new to PCaps, TCP or networking in general may not. By keeping the filters separate, the users will learn that the flags are unique per filter which, in turn, will help them learn that each TCP flag is unique and then they have that extra knowledge. The other thing is newer people may get confused if they have to create logic gates with this type of filter and they may be tempted to put checkmarks in boxes that already exist when, instead, they should be creating a new filter inside their logic gates. But maybe I'm overthinking this.

In terms of my weekend... I'm currently fighting a sinus cold (yay Canadian weather!) so between that, family obligations and getting drunk on cold medicine, I'll see how much time I've got for this. Maybe I'll work on it after taking some cough syrup and see if it makes my code better or not... If the next dev push has a bunch of cat pictures instead of usable code, you'll know why.

Hey Sven Glock‌ and everyone else. I've pushed the latest update to http://dev.tcpdump101.com with some new items/features that I'd love to hear your feedback on.

I've put the additional "Save to File" options back in since I forgot them earlier as well as an updated note in the (?) Help bubble for the tcpdump interface stating that you can use 'any' as an interface. (Thanks Sven Glock‌) I do have a little clean-up to do on the error checking for those, however, so don't be too alarmed that they're not at 100% yet.

I've also added error checking on the following filters:

• Layer-2 Addresses (strict)
• Layer-3 Protocols (loose)
• Layer-4 Ports (loose)
• VLAN IDs (strict)
• PPPoES IDs (strict)
• MPLS (strict)

I will be adding descriptions to the errors in the near future so that people will know what's wrong with what they've entered and how to correct it. I will also be adding error checking on the rest of the filters as well. A small icon at the top-right of each filter will let you know at-a-glance if the filters you've entered are valid, suspect or invalid.

When you negate a filter now (by using the "not" box), an icon appears in the top-right of the filter to let you know at-a-glance which filters are negated. They used to change the background of the filter to grey but I realized that the error checking background colours wouldn't be available.

I'm going to finish up the error checking on the Save to File modules and the rest of the filters and will then look at changing the filter menu from an HTML <select> field to a custom HTML/CSS hoverable menu and see how that looks and feels.

As usual, any and all feedback is appreciated.

Sean (Gr@ve_Rose)

Ladies and Gentlemen... It's been a while but wanted to let you know that https://tcpdump101.com now supports the "new" version of "fw monitor" found in R80.20 JHF73+ which uses the simple filter module. If you get a chance to check it out, let me know how you find it! Happy Packet Hunting.

tcpdump101.com 1.01 - New 'fw monitor' section

Keep being awesome!

Sean (Gr@ve_Rose)

Hi Sean,

after a long while I went back to your website.
Nice new updates! Thanks for your efforts.

Today I had the need to work with an older version of fw monitor.

So I decided to build the syntax on your website.

But I have to say I missed a feature - may be I only have not seen it...

TCPFLAGs 

I even had to consult CPs documentation! 😵

Just wanted to leave this here - may be it is a topic for your roadmap.

Cheers

Sven

Hey @Sven_Glock - Thanks for the feedback and I'm glad you like the new layout! I will see about adding the TCPFLAGS option to both of the 'fw monitor' modules as soon as I can. Things are pretty hectic right now on my side (a lot of PenTesting and Red Team engagements) but I'll let you know when they've been added, tested and verified although it may be a while. Once they're in, do you mind if I credit you with the feature request on Twitter when the time comes?

As per usual, if you (or anyone else) wants to share feedback (positive and constructive) I'm always open to hearing from the community. 🙂

Cheers,

Sean (Gr@ve_Rose)