Donate to us!
Few are those who can see with their own eyes and hear with their own hearts. - Albert Einstein
Sunday, September 23, 2018
 Need Help?
Members Online
Total Online: 166
Guests Online: 165
Members Online: 1

Registered Members: 106692
Newest Member: stellaeden
Latest Articles

Data Capturing using TCP Flags

Arrow Image This is supposed to be VERY short and a quick overview, so here it is.

TCP Flags Overview:

For data capturing using Ethereal and TCPdump, just remember that you can capture packets that have their flags already setup, such: ACK, SYN, URG, FIN, RST, PSH, etc.


urg = `Urgent Pointer field significant\' -> 32
ack = `Acknowledgment field significant\' -> 16
psh = `Push Function\' -> 8
rst = `Reset the connection\' -> 4
syn = `Synchronize sequence numbers\' -> 2
fin = `No more data from sender\' -> 1

For starters, it should be known that TCPdump has a readme (man page). Yup, really!! Access it, and learn from it:

Here are the TCPdump switch meanings:

* -n : Don\'t resolve hostnames.
* -nn : Don\'t resolve hostnames or port names.
* -X : Show the packet\'s contents in both hex and ASCII.
* -v, -vv, -vvv : Increase the amount of packet information you get back.
* -c : Only get x number of packets and then stop.
* -S : Print absolute sequence numbers.
* -e : Get the ethernet header as well.

So, using this reference, we can see that we can sniff for various TCP flags. For example:

Sniff all SYN flagged packets
tcpdump \'tcp[13] & 2 != 0\'

Sniff all PSH flagged packets
tcpdump \'tcp[13] & 8 != 0\'

Sniff all URG flagged packets
tcpdump \'tcp[13] & 32 != 0\'

Sniff all RST flagged packets
tcpdump \'tcp[13] & 4 != 0\'

Sniff all ACK flagged packets
tcpdump \'tcp[13] & 16 != 0\'

Sniff all FIN flagged packets
tcpdump \'tcp[13] & 1 != 0\'

Sniff all SYN-ACK flagged packets
tcpdump \'tcp[13] = 18\'

Well, you get the idea ... find the rest on your own. I don\'t want to be your little donkey doing all your work.

*If you feel lucky, try: \"tcpdump ip6\"

The same applies for Ethereal (now Wireshark), you\'d simply set the flags in the filter line to represent:

Sniff all SYN flagged packets
tcp[13] & 0x02 = 2

You can even make it even more complex by using LOGIC operators (OR,AND,XOR). For example:

ip.addr == and tcp.flags.ack

Well, you get the idea. Hope you liked my half assed article. Expect more.

I feel burnt out at the moment, hence why it\'s so short and does NOT go in detail. It\'s only meant to be a primer.


system_meltdownon September 23 2007 - 22:48:07
Arcube why did you vote poor without giving a reason?
netfishon September 23 2007 - 23:58:05
lol, cuz I pwn3d him in the forums earlier this week. HAHAHAH
Arcubeon September 24 2007 - 02:39:52
Lol, no. Because your article isn't complete and you even say it. You said you were burnt and that is why the article is short. You should wait until you are not 'burnt' and do a more complete article and go more in detail. I rated your other article well because they were detailed and complete.
Arcubeon September 24 2007 - 02:56:07
If you see an article, that you find interesting, on any kind of document, like magazines, or news websites, and at the end, the person who wrote the article says "oh, because I feel burnt, I won't go in detail and it's just to give a little idea of the subject." makes you loose interest on the article. If you know you can do better, then you should take more time and do better.
netfishon September 24 2007 - 06:05:18
yah, too bad this isn't a magazine, eh?
system_meltdownon September 24 2007 - 23:53:33
Shouldn't you wait til it's complete before judging then?
richohealeyon September 26 2007 - 03:04:21
netfish is always right. </discussion>
Folk Theoryon October 22 2007 - 02:11:34
i think the article was great, but arcube does have a point. in general, just dont self-denigrate your work, then people wont notcie its only half baked. @system meltdown: per your suggestion, i wont rate it yet >.<
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.