Data Capturing using TCP Flags

For data capturing using Ethereal and TCPdump, just remember that you can capture packets that have their flags already setup, such: ACK, SYN, URG, FIN, RST, PSH, etc.

FLAG -- SIGNIFICANCE -- HEX

urg = `Urgent Pointer field significant' -> 32
ack = `Acknowledgment field significant' -> 16
psh = `Push Function' -> 8
rst = `Reset the connection' -> 4
syn = `Synchronize sequence numbers' -> 2
fin = `No more data from sender' -> 1

For starters, it should be known that TCPdump has a readme (man page). Yup, really!! Access it, and learn from it:

Here are the TCPdump switch meanings:

* -n : Don't resolve hostnames.
* -nn : Don't resolve hostnames or port names.
* -X : Show the packet's contents in both hex and ASCII.
* -v, -vv, -vvv : Increase the amount of packet information you get back.
* -c : Only get x number of packets and then stop.
* -S : Print absolute sequence numbers.
* -e : Get the ethernet header as well.

So, using this reference, we can see that we can sniff for various TCP flags. For example:

Sniff all SYN flagged packets
tcpdump 'tcp[13] & 2 != 0'

Sniff all PSH flagged packets
tcpdump 'tcp[13] & 8 != 0'

Sniff all URG flagged packets
tcpdump 'tcp[13] & 32 != 0'

Sniff all RST flagged packets
tcpdump 'tcp[13] & 4 != 0'

Sniff all ACK flagged packets
tcpdump 'tcp[13] & 16 != 0'

Sniff all FIN flagged packets
tcpdump 'tcp[13] & 1 != 0'

Sniff all SYN-ACK flagged packets
tcpdump 'tcp[13] = 18'

Well, you get the idea ... find the rest on your own. I don't want to be your little donkey doing all your work.

*If you feel lucky, try: "tcpdump ip6"

The same applies for Ethereal (now Wireshark), you'd simply set the flags in the filter line to represent:

Sniff all SYN flagged packets
tcp[13] & 0x02 = 2

You can even make it even more complex by using LOGIC operators (OR,AND,XOR). For example:

ip.addr == 192.168.2.102 and tcp.flags.ack

Posted in: defendingemailadminlaninternet,defending hex internet mobile,defending email admin lan internet