November 2007
Beginner
642 pages
15h 43m
English
Content preview from Linux Networking CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
19.8. Capturing TCP Flags with tcpdump
Problem
The syntax for tcpdump filters is pretty easy to understand, until you come to the part about filtering on specific TCP flags, like SYN, ACK, RST, and so forth. Then, it goes all bizarre. How do you know what to use?
Solution
The tcpdump manpage tells how to calculate the correct values for TCP flags. You are welcome to study it and learn how to figure them out from scratch. Or, you can copy them from here.
Capture all SYN packets:
# tcpdump 'tcp[13] & 2 != 0'Capture all ACK packets:
# tcpdump 'tcp[13] & 16 != 0'Capture all SYN-ACK packets:
# tcpdump 'tcp[13] = 18'Capture all FIN packets:
# tcpdump 'tcp[13] & 1 != 0'Capture all URG packets:
# tcpdump 'tcp[13] & 32 != 0'Capture all PSH packets:
# tcpdump 'tcp[13] & 8 != 0'Capture all RST packets:
# tcpdump 'tcp[13] & 4 != 0'These may be combined with other filtering options such as ports, hosts,and networks, just like in the previous recipe.
Discussion
There are several scenarios where you'll want to look for
certain TCP flags, such as when you're investigating suspicious
activity, or having problems with misconfigured services sending the
wrong responses. Another way to do this sort of filtering is to
capture a lot of data with minimal filtering and dump it to a file
with the -w switch, then examine
the file in Wireshark. Then, you'll be able to filter the same set of
data several different ways without having to get a new capture each
time.
Using Wireshark to analyze and filter a tcpdump ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.