viernes, 5 de septiembre de 2014

tcpdump advanced filters

Using this tcp header map I was able to catch the 3 way handshake between a client and server.

Below is the tcp header map




So looking at the tcp header map we know that the tcp header map, the syn,ack flags are on byte #13

Remember that the header starts at byte #0, so if we want to catch the communication initialization between a client and a server we need to catch the flags syn, syn-ack, and ack

client ------- Sends Syn ---------Server
Server -----answers syn-ack---client
client ----ansers ack -------------server
------Communication has been established--------
to catch this sequence for any given service, let's say port 22 (where ssh lives) we create the filter

tcpdump -i eth0 -n --tq '(tcp[13] = 2 or tcp[13] = 16 or tcp [13]=18) and ((src host 1.2.3.4 and dst port 22) and (dst host 5.6.7.8 and src port 22))'

 This will catch syn, syn-ack and ack

So tcp[13] = 2 means: on byte 13 the following pattern is: syn
cwr=0
ece=0
urg=0 (urgent)
ack=0(acknowledge)
psh=0(push)
rst=0(reset)
syn=1(sync)
fin=0(finish)

The above pattern is binary so 00000010 = 2

so tcp[13] = 18 on byte 13 the following pattern is: syn-ack
cwr=0
ece=0
urg=0 (urgent)
ack=1(acknowledge)
psh=0(push)
rst=0(reset)
syn=1(sync)
fin=0(finish)
The above pattern is binary so 00010010 = 18


o tcp[13] = 16on byte 13 the following pattern is: ack
cwr=0
ece=0
urg=0 (urgent)
ack=1(acknowledge)
psh=0(push)
rst=0(reset)
syn=0(sync)
fin=0(finish)
The above pattern is binary so 00010000 = 16

2nd part of the filter means: 
((src host 1.2.3.4 and dst port 22) and (dst host 5.6.7.8 and src port 22))

that my client (src host) is 1.2.3.4 and the destination port must be 22
and that my server (dst host) is 5.6.7.8 and the source port is 22

So pretty much the tcpdump builds a logical table

 (tcp[13] = 2 or tcp[13] = 16 or tcp [13]=18) and ((src host 1.2.3.4 and dst port 22) and (dst host 5.6.7.8 and src port 22))'

if this condiftion is true (tcp[13] = 2 or tcp[13] = 16 or tcp [13]=18)
if this condition is true ((src host 1.2.3.4 and dst port 22) and (dst host 5.6.7.8 and src port 22))

the packet will be captured and printed onto the screen


Happy filtering!
  




Publicado por en
Etiquetas:

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)