Main:
This is supposed to be VERY short and a quick overview, so here it is.
TCP Flags Overview:
For data capturing using Ethereal and TCPdump, just remember that you can capture packets that have their flags already setup, such: ACK, SYN, URG, FIN, RST, PSH, etc.
FLAG -- SIGNIFICANCE -- HEX
urg = `Urgent Pointer field significant' -> 32
ack = `Acknowledgment field significant' -> 16
psh = `Push Function' -> 8
rst = `Reset the connection' -> 4
syn = `Synchronize sequence numbers' -> 2
fin = `No more data from sender' -> 1
For starters, it should be known that TCPdump has a readme (man page). Yup, really!! Access it, and learn from it:
Here are the TCPdump switch meanings:
* -n : Don't resolve hostnames.
* -nn : Don't resolve hostnames or port names.
* -X : Show the packet's contents in both hex and ASCII.
* -v, -vv, -vvv : Increase the amount of packet information you get back.
* -c : Only get x number of packets and then stop.
* -S : Print absolute sequence numbers.
* -e : Get the ethernet header as well.
So, using this reference, we can see that we can sniff for various TCP flags. For example:
Sniff all SYN flagged packets
tcpdump 'tcp[13] & 2 != 0'
Sniff all PSH flagged packets
tcpdump 'tcp[13] & 8 != 0'
Sniff all URG flagged packets
tcpdump 'tcp[13] & 32 != 0'
Sniff all RST flagged packets
tcpdump 'tcp[13] & 4 != 0'
Sniff all ACK flagged packets
tcpdump 'tcp[13] & 16 != 0'
Sniff all FIN flagged packets
tcpdump 'tcp[13] & 1 != 0'
Sniff all SYN-ACK flagged packets
tcpdump 'tcp[13] = 18'
Well, you get the idea ... find the rest on your own. I don't want to be your little donkey doing all your work.
*If you feel lucky, try: "tcpdump ip6"
The same applies for Ethereal (now Wireshark), you'd simply set the flags in the filter line to represent:
Sniff all SYN flagged packets
tcp[13] & 0x02 = 2
You can even make it even more complex by using LOGIC operators (OR,AND,XOR). For example:
ip.addr == 192.168.2.102 and tcp.flags.ack
Well, you get the idea. Hope you liked my half assed article. Expect more.
I feel burnt out at the moment, hence why it's so short and does NOT go in detail. It's only meant to be a primer.
For data capturing using Ethereal and TCPdump, just remember that you can capture packets that have their flags already setup, such: ACK, SYN, URG, FIN, RST, PSH, etc.
FLAG -- SIGNIFICANCE -- HEX
urg = `Urgent Pointer field significant' -> 32
ack = `Acknowledgment field significant' -> 16
psh = `Push Function' -> 8
rst = `Reset the connection' -> 4
syn = `Synchronize sequence numbers' -> 2
fin = `No more data from sender' -> 1
For starters, it should be known that TCPdump has a readme (man page). Yup, really!! Access it, and learn from it:
Here are the TCPdump switch meanings:
* -n : Don't resolve hostnames.
* -nn : Don't resolve hostnames or port names.
* -X : Show the packet's contents in both hex and ASCII.
* -v, -vv, -vvv : Increase the amount of packet information you get back.
* -c : Only get x number of packets and then stop.
* -S : Print absolute sequence numbers.
* -e : Get the ethernet header as well.
So, using this reference, we can see that we can sniff for various TCP flags. For example:
Sniff all SYN flagged packets
tcpdump 'tcp[13] & 2 != 0'
Sniff all PSH flagged packets
tcpdump 'tcp[13] & 8 != 0'
Sniff all URG flagged packets
tcpdump 'tcp[13] & 32 != 0'
Sniff all RST flagged packets
tcpdump 'tcp[13] & 4 != 0'
Sniff all ACK flagged packets
tcpdump 'tcp[13] & 16 != 0'
Sniff all FIN flagged packets
tcpdump 'tcp[13] & 1 != 0'
Sniff all SYN-ACK flagged packets
tcpdump 'tcp[13] = 18'
Well, you get the idea ... find the rest on your own. I don't want to be your little donkey doing all your work.
*If you feel lucky, try: "tcpdump ip6"
The same applies for Ethereal (now Wireshark), you'd simply set the flags in the filter line to represent:
Sniff all SYN flagged packets
tcp[13] & 0x02 = 2
You can even make it even more complex by using LOGIC operators (OR,AND,XOR). For example:
ip.addr == 192.168.2.102 and tcp.flags.ack
Well, you get the idea. Hope you liked my half assed article. Expect more.
I feel burnt out at the moment, hence why it's so short and does NOT go in detail. It's only meant to be a primer.
Posted by 
