Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Mon Nov 18, 2019 10:52 am


Username:
Subject:
Message body:
Enter your message here, it may contain no more than 60000 characters. 

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:
Font size:
 
Font colour
Options:
BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON
Disable BBCode
Disable smilies
Do not automatically parse URLs
Confirmation code
Confirmation code:
In an effort to prevent automatic submissions, we require that you enter both of the words displayed into the text field underneath.
     

Topic review - Tcpdump: How to capture first two packets of tcp conversation (SYN/SYN+ACK)
Author Message
Post subject: Tcpdump: How to capture first two packets of tcp conversation (SYN/SYN+ACK)  |  Post Posted: Wed Jun 13, 2012 5:32 am
Capturing only SYN (fist packet) of tcp conversation:
Code:
$ sudo tcpdump -nni eth0 port 80 and tcp[13] == 2

09:26:23.044132 IP 181.210.53.36.24495 > 10.0.0.2.80: Flags [S], seq 4179562228, win 65535, options [mss 1280,nop,wscale 3,nop,nop,TS val 290512683 ecr 0,sackOK,eol], length 0


How to capture only SYN packet with tcpdump:


Code:
$ sudo tcpdump -nni eth0 port 80 and "tcp[13] == 2"

Capturing both SYN and SYN+ACK (fist two packet) of tcp conversation with tcpdump:


Code:
$ sudo tcpdump -nni eth0 port 80 and 'tcp[13] & 2 == 2'
09:24:47.052301 IP 181.210.53.36.4896 > 10.0.0.2.80: Flags [S], seq 1906016236, win 65535, options [mss 1280,nop,wscale 3,nop,nop,TS val 290511723 ecr 0,sackOK,eol], length 0
09:24:47.052347 IP 10.0.0.2.80 > 181.210.53.36.4896: Flags [S.], seq 1199622835, ack 1906016237, win 5792, options [mss 1460,sackOK,TS val 724817121 ecr 290511723,nop,wscale 6], length 0


By using this tcpdump command, you can see the TCP options like MSS, selective ACK, window scale, timestamps.

Why tcp[13] ? Because the tcp flags byte is the 13th byte in the tcp header:

Code:
        0                            15                              31
       -----------------------------------------------------------------
       |          source port          |       destination port        |
       -----------------------------------------------------------------
       |                        sequence number                        |
       -----------------------------------------------------------------
       |                     acknowledgment number                     |
       -----------------------------------------------------------------
       |  HL   | rsvd  |C|E|U|A|P|R|S|F|        window size            |
       -----------------------------------------------------------------
       |         TCP checksum          |       urgent pointer          |
       -----------------------------------------------------------------



Starting from right to left (little endian) the SYN flag is 2^1:
Code:
                       |               |
                       |---------------|
                       |C|E|U|A|P|R|S|F|
                       |---------------|
                       |7   5   3     0|
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO