Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Data Capturing using TCP Flags


Data Capturing using TCP Flags

By ghostghost | 5303 Reads |
0     0

TCP Flags Overview:

For data capturing using Ethereal and TCPdump, just remember that you can capture packets that have their flags already setup, such: ACK, SYN, URG, FIN, RST, PSH, etc.

FLAG – SIGNIFICANCE – HEX

urg = Urgent Pointer field significant\' -> 32 ack = Acknowledgment field significant' -> 16 psh = Push Function\' -> 8 rst = Reset the connection' -> 4 syn = Synchronize sequence numbers\' -> 2 fin = No more data from sender' -> 1

For starters, it should be known that TCPdump has a readme (man page). Yup, really!! Access it, and learn from it:

Here are the TCPdump switch meanings:

* -n : Don\'t resolve hostnames.
* -nn : Don\'t resolve hostnames or port names.
* -X : Show the packet\'s contents in both hex and ASCII.
* -v, -vv, -vvv : Increase the amount of packet information you get back.
* -c : Only get x number of packets and then stop.
* -S : Print absolute sequence numbers.
* -e : Get the ethernet header as well.

So, using this reference, we can see that we can sniff for various TCP flags. For example:

Sniff all SYN flagged packets tcpdump 'tcp[13] & 2 != 0'

Sniff all PSH flagged packets tcpdump 'tcp[13] & 8 != 0'

Sniff all URG flagged packets tcpdump 'tcp[13] & 32 != 0'

Sniff all RST flagged packets tcpdump 'tcp[13] & 4 != 0'

Sniff all ACK flagged packets tcpdump 'tcp[13] & 16 != 0'

Sniff all FIN flagged packets tcpdump 'tcp[13] & 1 != 0'

Sniff all SYN-ACK flagged packets tcpdump 'tcp[13] = 18'

Well, you get the idea … find the rest on your own. I don't want to be your little donkey doing all your work.

*If you feel lucky, try: "tcpdump ip6"

The same applies for Ethereal (now Wireshark), you'd simply set the flags in the filter line to represent:

Sniff all SYN flagged packets tcp[13] & 0x02 = 2

You can even make it even more complex by using LOGIC operators (OR,AND,XOR). For example:

ip.addr == 192.168.2.102 and tcp.flags.ack

Well, you get the idea. Hope you liked my half assed article. Expect more.

I feel burnt out at the moment, hence why it's so short and does NOT go in detail. It's only meant to be a primer.

Comments
SySTeM's avatar
SySTeM 17 years ago

Arcube why did you vote poor without giving a reason?

ghost's avatar
ghost 17 years ago

lol, cuz I pwn3d him in the forums earlier this week. HAHAHAH

ghost's avatar
ghost 17 years ago

Lol, no. Because your article isn't complete and you even say it. You said you were burnt and that is why the article is short. You should wait until you are not 'burnt' and do a more complete article and go more in detail. I rated your other article well because they were detailed and complete.

ghost's avatar
ghost 17 years ago

If you see an article, that you find interesting, on any kind of document, like magazines, or news websites, and at the end, the person who wrote the article says "oh, because I feel burnt, I won't go in detail and it's just to give a little idea of the subject." makes you loose interest on the article. If you know you can do better, then you should take more time and do better.

ghost's avatar
ghost 17 years ago

yah, too bad this isn't a magazine, eh?

SySTeM's avatar
SySTeM 17 years ago

Shouldn't you wait til it's complete before judging then?

richohealey's avatar
richohealey 17 years ago

netfish is always right. </discussion>

ghost's avatar
ghost 17 years ago

i think the article was great, but arcube does have a point. in general, just dont self-denigrate your work, then people wont notcie its only half baked. @system meltdown: per your suggestion, i wont rate it yet >.<