Data Capturing using TCP Flags
Data Capturing using TCP Flags
TCP Flags Overview:
For data capturing using Ethereal and TCPdump, just remember that you can capture packets that have their flags already setup, such: ACK, SYN, URG, FIN, RST, PSH, etc.
FLAG – SIGNIFICANCE – HEX
urg = Urgent Pointer field significant\' -> 32 ack =
Acknowledgment field significant' -> 16
psh = Push Function\' -> 8 rst =
Reset the connection' -> 4
syn = Synchronize sequence numbers\' -> 2 fin =
No more data from sender' -> 1
For starters, it should be known that TCPdump has a readme (man page). Yup, really!! Access it, and learn from it:
Here are the TCPdump switch meanings:
* -n : Don\'t resolve hostnames.
* -nn : Don\'t resolve hostnames or port names.
* -X : Show the packet\'s contents in both hex and ASCII.
* -v, -vv, -vvv : Increase the amount of packet information you get back.
* -c : Only get x number of packets and then stop.
* -S : Print absolute sequence numbers.
* -e : Get the ethernet header as well.
So, using this reference, we can see that we can sniff for various TCP flags. For example:
Sniff all SYN flagged packets tcpdump 'tcp[13] & 2 != 0'
Sniff all PSH flagged packets tcpdump 'tcp[13] & 8 != 0'
Sniff all URG flagged packets tcpdump 'tcp[13] & 32 != 0'
Sniff all RST flagged packets tcpdump 'tcp[13] & 4 != 0'
Sniff all ACK flagged packets tcpdump 'tcp[13] & 16 != 0'
Sniff all FIN flagged packets tcpdump 'tcp[13] & 1 != 0'
Sniff all SYN-ACK flagged packets tcpdump 'tcp[13] = 18'
Well, you get the idea … find the rest on your own. I don't want to be your little donkey doing all your work.
*If you feel lucky, try: "tcpdump ip6"
The same applies for Ethereal (now Wireshark), you'd simply set the flags in the filter line to represent:
Sniff all SYN flagged packets tcp[13] & 0x02 = 2
You can even make it even more complex by using LOGIC operators (OR,AND,XOR). For example:
ip.addr == 192.168.2.102 and tcp.flags.ack
Well, you get the idea. Hope you liked my half assed article. Expect more.
I feel burnt out at the moment, hence why it's so short and does NOT go in detail. It's only meant to be a primer.
ghost 17 years ago
Lol, no. Because your article isn't complete and you even say it. You said you were burnt and that is why the article is short. You should wait until you are not 'burnt' and do a more complete article and go more in detail. I rated your other article well because they were detailed and complete.
ghost 17 years ago
If you see an article, that you find interesting, on any kind of document, like magazines, or news websites, and at the end, the person who wrote the article says "oh, because I feel burnt, I won't go in detail and it's just to give a little idea of the subject." makes you loose interest on the article. If you know you can do better, then you should take more time and do better.