When using a tool that displays network traffic a more natural (raw) way the burden of analysis is placed directly on the human rather than the application. This approach cultivates continued and elevated understanding of the TCP/IP suite, and for this reason I strongly advocate using
tcpdumpinstead of other tools whenever possible.
An anagram for the TCP flags: Unskilled Attackers Pester RealSecurity Folk ]
Show me all URGENT (URG) packets...
# tcpdump 'tcp & 32!=0'
Show me all ACKNOWLEDGE (ACK) packets...
# tcpdump 'tcp & 16!=0'
Show me all PUSH (PSH) packets...
# tcpdump 'tcp & 8!=0'
Show me all RESET (RST) packets...
# tcpdump 'tcp & 4!=0'
Show me all SYNCHRONIZE (SYN) packets...
# tcpdump 'tcp & 2!=0'
Show me all FINISH (FIN) packets...
# tcpdump 'tcp & 1!=0'
Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets...
# tcpdump 'tcp=18'
[ Note: Only the PSH, RST, SYN, and FIN flags are displayed in
tcpdump's flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]
Keep in mind the reasons these filters work. The filters above find these various packets because
tcplooks at offset 13 in the TCP header, the number represents the location within the byte, and the !=0 means that the flag in question is set to 1, i.e. it's on.
As with most powerful tools, however, there are multiple ways to do things. The example below shows another way to capture packets with specific TCP flags set.
Capture TCP Flags Using the
# tcpdump 'tcp[tcpflags] & & tcp-syn != 0'
Post a Comment