Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
tcpdump - reading tcp flags
##TCP FLAGS##
Unskilled Attackers Pester Real Security Folks
==============================================
TCPDUMP FLAGS
Unskilled = URG = (Not Displayed in Flag Field, Displayed elsewhere)
Attackers = ACK = (Not Displayed in Flag Field, Displayed elsewhere)
Pester = PSH = [P] (Push Data)
Real = RST = [R] (Reset Connection)
Security = SYN = [S] (Start Connection)
Folks = FIN = [F] (Finish Connection)
SYN-ACK = [S.] (SynAcK Packet)
[.] (No Flag Set)
##USAGE##
Basic communication // see the basics without many options
# tcpdump -nS
Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help
# tcpdump -nnvvS
A deeper look at the traffic // adds -X for payload but doesn’t grab any more of the packet
# tcpdump -nnvvXS
Heavy packet viewing // the final “s” increases the snaplength, grabbing the whole packet
# tcpdump -nnvvXSs 1514
host // look for traffic based on IP address (also works with hostname if you’re not using -n)
# tcpdump host 1.2.3.4
src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6
net // capture an entire network using CIDR notation
# tcpdump net 1.2.3.0/24
proto // works for tcp, udp, and icmp. Note that you don’t have to type proto
# tcpdump icmp
port // see only traffic to or from a certain port
# tcpdump port 3389
src, dst port // filter based on the source or destination port
# tcpdump src port 1025 # tcpdump dst port 389
src/dst, port, protocol // combine all three
# tcpdump src port 1025 and tcp
# tcpdump udp and src port 53
You also have the option to filter by a range of ports instead of declaring them individually, and to only see packets that are above or below a certain size.
Port Ranges // see traffic to any port in a range
tcpdump portrange 21-23
Packet Size Filter // only see packets below or above a certain size (in bytes)
tcpdump less 32
tcpdump greater 128
[ You can use the symbols for less than, greater than, and less than or equal / greater than or equal signs as well. ]
// filtering for size using symbols
tcpdump > 32
tcpdump <= 128
[ Note: Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump‘s flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]
Keep in mind the reasons these filters work. The filters above find these various packets because tcp[13] looks at offset 13 in the TCP header, the number represents the location within the byte, and the !=0 means that the flag in question is set to 1, i.e. it’s on.
Show all URG packets:
# tcpdump 'tcp[13] & 32 != 0'
Show all ACK packets:
# tcpdump 'tcp[13] & 16 != 0'
Show all PSH packets:
# tcpdump 'tcp[13] & 8 != 0'
Show all RST packets:
# tcpdump 'tcp[13] & 4 != 0'
Show all SYN packets:
# tcpdump 'tcp[13] & 2 != 0'
Show all FIN packets:
# tcpdump 'tcp[13] & 1 != 0'
Show all SYN-ACK packets:
# tcpdump 'tcp[13] = 18'
Show icmp echo request and reply
#tcpdump -n icmp and 'icmp[0] != 8 and icmp[0] != 0'
Show all IP packets with a non-zero TOS field (one byte TOS field is at offset 1 in IP header):
# tcpdump -v -n ip and ip[1]!=0
Show all IP packets with TTL less than some value (on byte TTL field is at offset 8 in IP header):
# tcpdump -v ip and 'ip[8]<2'
Show TCP SYN packets:
# tcpdump -n tcp and port 80 and 'tcp[tcpflags] & tcp-syn == tcp-syn'
# tcpdump tcp and port 80 and 'tcp[tcpflags] == tcp-syn'
# tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn) != 0"
Show TCP ACK packets:
# tcpdump -i <interface> "tcp[tcpflags] & (tcp-ack) != 0"
Show TCP SYN/ACK packets (typically, responses from servers):
# tcpdump -n tcp and 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'
# tcpdump -n tcp and 'tcp[tcpflags] & tcp-syn == tcp-syn' and 'tcp[tcpflags] & tcp-ack == tcp-ack'
# tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"
Show TCP FIN packets:
# tcpdump -i <interface> "tcp[tcpflags] & (tcp-fin) != 0"
Show ARP Packets with MAC address
# tcpdump -vv -e -nn ether proto 0x0806
Show packets of a specified length (IP packet length (16 bits) is located at offset 2 in IP header):
# tcpdump -l icmp and '(ip[2:2]>50)' -w - |tcpdump -r - -v ip and '(ip[2:2]<60)'
More Details:
http://danielmiessler.com/study/tcpdump/
@tcpdump-examples

This comment has been minimized.

Copy link

@tcpdump-examples tcpdump-examples commented Feb 24, 2021

Tcp flag is at offset 13 in the TCP header. So we can use tcp[13] to filter TCP flags.

In tcpdump‘s flag field output, we can see these flags. Please check this post for more details about how to filter tcp packets with tcp flags.

proto[x:y] : will start filtering from byte x for y bytes. ip[2:2] would filter bytes 3 and 4 (first byte begins by 0)

proto[x:y] & z = 0 : will match bits set to 0 when applying mask z to proto[x:y]

proto[x:y] & z !=0 : some bits are set when applying mask z to proto[x:y]

proto[x:y] & z = z : every bits are set to z when applying mask z to proto[x:y]

proto[x:y] = z : p[x:y] has exactly the bits set to z

What are TCP flags?

Each TCP flag corresponds to 1 bit in size. The list below describes each flag in greater detail. Additionally, check out the corresponding RFC section attributed to certain flags for a more comprehensive explanation.

  • SYN - The synchronisation flag is used as a first step in
    establishing a three way handshake between two hosts. Only the first
    packet from both the sender and receiver should have this flag set.
    The following diagram illustrates a three way handshake process.

  • ACK - The acknowledgment flag is used to acknowledge the successful receipt of a packet. As we can see from the diagram above, the receiver sends an ACK as well as a SYN in the second step of the three way handshake process to tell the sender that it received its initial packet.

  • FIN - The finished flag means there is no more data from the sender. Therefore, it is used in the last packet sent from the sender.

  • URG - The urgent flag is used to notify the receiver to process the urgent packets before processing all other packets. The receiver will be notified when all known urgent data has been received. See RFC 6093 for more details.

  • PSH - The push flag is somewhat similar to the URG flag and tells the receiver to process these packets as they are received instead of buffering them.

  • RST - The reset flag gets sent from the receiver to the sender when a packet is sent to a particular host that was not expecting it.

  • ECE - This flag is responsible for indicating if the TCP peer is ECN capable. See RFC 3168 for more details.

  • CWR - The congestion window reduced flag is used by the sending host to indicate it received a packet with the ECE flag set. See RFC 3168 for more details.

  • NS (experimental) - The nonce sum flag is still an experimental flag used to help protect against accidental malicious concealment of packets from the sender. See RFC 3540 for more details.

Reference:

TCP Flags

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment