IPv4 Subnet Calculating

Calculating the Netmask Length (also called a prefix):

https://networkengineering.stackexchange.com/questions/7106/how-do-you-calculate-the-prefix-network-subnet-and-host-numbers

Convert the dotted-decimal representation of the netmask to binary. Then, count the number of contiguous 1 bits, starting at the most significant bit in the first octet (i.e. the left-hand-side of the binary number).

255.255.248.0   in binary: 11111111 11111111 11111000 00000000
                           -----------------------------------
                           I counted twenty-one 1s             -------> /21

The prefix of 128.42.5.4 with a 255.255.248.0 netmask is /21.

Calculating the Network Address:

The network address is the logical AND of the respective bits in the binary representation of the IP address and network mask. Align the bits in both addresses, and perform a logical AND on each pair of the respective bits. Then convert the individual octets of the result back to decimal.

Logical AND truth table:

128.42.5.4      in binary: 10000000 00101010 00000101 00000100
255.255.248. 0   in binary: 11111111 11111111 11111000 00000000
                           ----------------------------------- [Logical AND]
                           10000000 00101010 00000000 00000000 ------> 128.42.0.0

As you can see, the network address of 128.42.5.4/21 is 128.42.0.0

Calculating the Broadcast Address:

The broadcast address converts all host bits to 1s…

Remember that our IP address in decimal is:

128.42.5.4      in binary: 10000000 00101010 00000101 00000100

The network mask is:

255.255.248.0   in binary: 11111111 11111111 11111000 00000000

This means our host bits are the last 11 bits of the IP address, because we find the host mask by inverting the network mask:

Host bit mask            : 00000000 00000000 00000hhh hhhhhhhh

To calculate the broadcast address, we force all host bits to be 1s:

128.42.5.4      in binary: 10000000 00101010 00000101 00000100
Host bit mask            : 00000000 00000000 00000hhh hhhhhhhh
                           ----------------------------------- [Force host bits]
                           10000000 00101010 00000111 11111111 ----> 128.42.7.255

Calculating subnets:

You haven’t given enough information to calculate subnets for this network; as a general rule you build subnets by reallocating some of the host bits as network bits for each subnet. Many times there isn’t one right way to subnet a block… depending on your constraints, there could be several valid ways to subnet a block of addresses.

Let’s assume we will break 128.42.0.0/21 into 4 subnets that must hold at least 100 hosts each…

In this example, we know that you need at least a /25 prefix to contain 100 hosts; I chose a /24 because it falls on an octet boundary. Notice that the network address for each subnet borrows host bits from the parent network block.

Finding the required subnet masklength or netmask:

How did I know that I need at least a /25 masklength for 100 hosts? Calculate the prefix by backing into the number of host bits required to contain 100 hosts. One needs 7 host bits to contain 100 hosts. Officially this is calculated with:

Host bits = Log₂(Number-of-hosts) = Log₂(100) = 6.643

Since IPv4 addresses are 32 bits wide, and we are using the host bits (i.e. least significant bits), simply subtract 7 from 32 to calculate the minimum subnet prefix for each subnet… 32 – 7 = 25.

The lazy way to break 128.42.0.0/21 into four equal subnets:

Since we only want four subnets from the whole 128.42.0.0/21 block, we could use /23 subnets. I chose /23 because we need 4 subnets… i.e. an extra two bits added to the netmask.

This is an equally-valid answer to the constraint, using /23 subnets of 128.42.0.0/21…

Calculating the host number:

This is what we’ve already done above… just reuse the host mask from the work we did when we calculated the broadcast address of 128.42.5.4/21… This time I’ll use 1s instead of h, because we need to perform a logical AND on the network address again.

128.42.5.4      in binary: 10000000 00101010 00000101 00000100
Host bit mask            : 00000000 00000000 00000111 11111111
                           ----------------------------------- [Logical AND]
                           00000000 00000000 00000101 00000100 -----> 0.0.5.4

Calculating the maximum possible number of hosts in a subnet:

To find the maximum number of hosts, look at the number of binary bits in the host number above. The easiest way to do this is to subtract the netmask length from 32 (number of bits in an IPv4 address). This gives you the number of host bits in the address. At that point…

Maximum Number of hosts = 2**(32 – netmask_length) – 2

The reason we subtract 2 above is because the all-ones and all-zeros host numbers are reserved. The all-zeros host number is the network number; the all-ones host number is the broadcast address.

Using the example subnet of 128.42.0.0/21 above, the number of hosts is…

Maximum Number of hosts = 2**(32 – 21) – 2 = 2048 – 2 = 2046

Finding the maximum netmask (minimum hostmask) which contains two IP addresses:

Suppose someone gives us two IP addresses and expects us to find the longest netmask which contains both of them; for example, what if we had:

128.42.5.17
128.42.5.67

The easiest thing to do is to convert both to binary and look for the longest string of network-bits from the left-hand side of the address.

128.42.5.17     in binary: 10000000 00101010 00000101 00010001
128.42.5.67     in binary: 10000000 00101010 00000101 01000011
                           ^                           ^     ^
                           |                           |     |
                           +--------- Network ---------+Host-+
                             (All bits are the same)    Bits

In this case the maximum netmask (minimum hostmask) would be /25

NOTE: If you try starting from the right-hand side, don’t get tricked just because you find one matching column of bits; there could be unmatched bits beyond those matching bits. Honestly, the safest thing to do is to start from the left-hand side.

3rd May 2017

Open Sense (PFSense Fork) Notes

NAT Configuration on OpenSense

interface > other types > vlan > Add

interfaces > assignments > Add new interface > assign name, ip address, mru etc

Firewall > nat > outbound > clone existing rule and edit network address &

22nd July 2016

Silk, iSilk Wonderland

Notes on installing and using Silk network monitoring on a pre-configured log server named Wonderland

Download iSilk client from https://tools.netsa.cert.org/isilk/download.html#
Run the setup wizard and enter the FQDN of the wonderland server along with a valid username and passwordNOTE: I was unable to use the autoconfiguration tool in iSilk to connect to our server, it was failing to generate the SSH-DSA keys as intended so I used PuttyGen to create my own 2048-bit SSH-DSA keys and then copied the public key string to [ ~/.ssh/authorized_keys ] on the target server, ensuring I added to and not over-wrote the file.I could then skip the wizard and complete the Host, port, user(name), and public key file location on my local machine from the initial connection page and save that as the default.
On the [General] tab I entered:Output Directory = [ /data/silk/dave ] , having created that dir on the server and applying the user:root permissions to it.
Library Path = [ /data/silk/library ] , as defined in the silk.conf file (i think) on the target server.
Limit Maximum Records = [UNTICK]
Exclude IPv6 = [TICKED] (as our server doesn’t use it).
Using Putty’s [ Pageant ] and loading in my private key file I was then able to launch iSilk and it connected cleanly to the target server!

Following the setup I then created my first set and within that my first query through the GUI which resulted in these options for the command line:

rwfilter --type=out,outweb,in,inweb --sensors=S1 --start-date=2016/07/18:18 --end-date=2016/07/19:01 --proto=0-255 --max-pass-records=0 --ip-version=4 --pass=FirstQuery.rwf --print-filenames

11th May 2016

Eduroam Profile Rebuild

There is a known issue with certain wireless access points and some clients. The solution is to:

1. Forget the Eduroam network from your device

2. Using your mobile data connection or via OWL (if you use OWL you will need to connect to it, close the browser pop up, connect to it again and close the browser pop up a second time – now you will have the option to “Use without Internet”) visit :
http://cat.eduroam.org

3. Download the configuration tool for your device and launch it, entering your username in the format kebl1234@ox.ac.uk along with your Eduroam / Remote Access password

4. Now connect to the Eduroam network and all should be well.

28th July 2015

tcpdump Mac OSX Wireless Monitoring Mode

The preamble

Steve Kersley provided me with a quick tute in using the native Mac OSX tools to monitor the local wifi clients and access points.

The prep

First prep the symlink on the machines

sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport

The Commands

Next run the dissassociate command on the wireless adpater:

sudo airport -z

finally run the tcpdump command to begin monitoring the wireless activity in realtime

sudo tcpdump -i en1 -I -n type mgt and not subtype beacon

The explanation

The previous command is broken down into:

-i en1 : specify the interface to listen on
-I : Print the interface on each dump line.
-n : do not convert address (don’t use DNS resolution)
type mgt and not subtype beacon : filter the packets by type mgt (exclude ctl and data) and also just examine the beacon data for dis/associate events

The above is fairly self-explanatory except for the last options for filtering by type.

An excellent resource I used for reference to understand this can be found at http://www.wildpackets.com/resources/compendium/wireless_lan/wlan_packet_types

and is included below for reference:

802.11 WLAN Packet Types

The table below lists the various packet types and subtypes specified in the 802.11 WLAN standard, and describes their usage briefly.

Table E.1 WLAN packet types
Packet Types				Usage
type		subtype
00	mgmt	0000	Association Request	This packet is sent to an access point (in a BSS or ESS) or to any other peer (in an IBSS or ad hoc network). The sender must already be authenticated in order to gain a successful association.
00	mgmt	0001	Association Response	This packet is sent from an access point (in a BSS or ESS) or from any other peer (in an IBSS or ad hoc network) in response to an association request packet. If the request is successful, the response will include the Association ID of the requester.
00	mgmt	0010	Reassociation Request	Like an association request, but it includes information about the current association at the same time as it requests a new association (either with the original Station after some lapse of time, or with a new station upon moving from one BSS to another). This packet is sent to an access point (in a BSS or ESS) or to any other peer (in an IBSS or ad hoc network). The sender must already be authenticated in order to gain a successful association.
00	mgmt	0011	Reassociation Response	Like an association response, but in response to a reassociation request. This packet is sent from an access point (in a BSS or ESS) or from any other peer (in an IBSS or ad hoc network) in response to a reassociation request packet. If the request is successful, the response will include the Association ID of the requester.
00	mgmt	0100	Probe Request	Probe request is used to actively seek any, or a particular, access point or BSS.
00	mgmt	0101	Probe Response	Probe response replies with station parameters and supported data rates.
00	mgmt	1000	Beacon	Beacon packets are sent by the access point in a BSS (or its equivalent in an IBSS) to announce the beginning of a Contention Free period (CF), during which the right to transmit is conferred by the access point by polling. Beacon management packets carry BSS timestamps to help synchronize member stations with the BSS, and other information to help them locate and choose the BSS with the best signal and availability.
00	mgmt	1001	ATIM	Announcement Traffic Indication Message. This packet serves much the same function in an IBSS that the Beacon packet does in an infrastructure (BSS or ESS) topology. The packet sets the synchronization of the group and announces that messages are waiting to be delivered. Stations in Power Save mode wake up periodically to listen for ATIM packets in ad hoc (IBSS) networks, just as they do for Beacon packets in infrastructure (BSS or ESS) networks.
00	mgmt	1010	Disassociation	This packet is an announcement breaking an existing association. It is a one-way communication (meaning it does not require or accept a reply), and must be accepted. It can be sent by any associated station or BSS and it takes effect immediately.
00	mgmt	1011	Authentication	Authentication packets are sent back and forth between the station requesting authentication and the station to which it is attempting to assert its authentic identity. The number of packets exchanged depends on the authentication method employed. Information relating to the particular scheme is carried in the body of the Authentication packet.
00	mgmt	1100	Deauthentication	This packet is an announcement stating that the receiver is no longer authenticated. It is a one-way communication from the authenticating station (a BSS or functional equivalent), and must be accepted. It takes effect immediately.
01	ctrl	1010	PS-Poll	Power Save polling packet. Stations in power save mode awaken periodically to listen to selected Beacons. If they hear that data is waiting for them, they will awake more fully and send a PS-Poll packet to the access point (BSS) to request the transmission of this waiting data. In Control packets of the Power Save-Poll type, the Duration/ID field contains the association ID (AID) for the station sending the packet.
01	ctrl	1011	RTS	Request To Send. Coordinates access to airwaves.
01	ctrl	1100	CTS	Clear To Send. Response to a RTS, coordinates access to airwaves.
01	ctrl	1101	ACK	Acknowledges receipt of transmitted data.
01	ctrl	1110	CF End	Signals the end of Contention Free period.
01	ctrl	1111	CF End + CF ACK	Signals the end of the Contention Free period and Acknowledges the receipt of some packet in a single message.
10	data	any	any	Multiple subtypes exist for Data type packets, but all have the same basic format, as described above. (see Appendix C, “802.11 WLAN Packets and Protocols”.) The different Data subtypes essentially just piggyback CF-Poll, CF-ACK, and CF-End messages onto the data message in a single transmission. This allows the BSS to gain higher throughputs possible using PCF (point coordinating function).

23rd April 2015

monitor for dhcp offers on network

sudo ifconfig ethX promisc
tshark -i ethX -n port 68 -R 'bootp.type == 2'

Thanks to http://blog.siufatfat.net/2013/08/25/locating-rogue-dhcp-on-linux/

23rd February 2015

tcpdump notes

sudo tcpdump -i eth0 port 67 or port 68 -nev and “ether host <<MAC ADDRESS>>”

ether host <mac address>

verbose:

-vv

packet size for full details:

-s 1500

prevent name resolution:

-n

13th February 2015

HOW TO ADD ADDITIONAL IP TO A NETWORK INTERFACE ON MAC OS X

Source: https://gerrydevstory.com/2012/08/20/how-to-create-virtual-network-interface-on-mac-os-x/

To add an additional IP to a network interface on OSX using the GUI simply “replicate service” on any interface via the cog in [Network Settings] and then assign the IP to the replicated interface manually.

source: http://hints.macworld.com/article.php?story=20041223112819235

From the terminal:

sudo ifconfig en1 inet xxx.xxx.xxx.xxx netmask 255.255.255.0 alias

Where sudo = execute as root, en1 = the interface you want to add an alias to, xxx.xxx.xxx.xxx = ip you wan to add, 255.255.255.0 = desired netmask.

11th January 2015

Technicolor TG582n Configuration

dhcp server lease list (lists the current DHCP clients)
dhcp server lease delete clientid=xx:xx:xx:xx:xx:xx ( xx etc. is the MAC address of appropriate client from above list – deletes the current lease)
dhcp server lease add clientid=xx:xx:xx:xx:xx:xx pool=LAN_private addr=192.168.1.x leasetime=0 (adds required IP for appropriate client with infinite lease time)
saveall

17th April 2014

tcpdump2

verbatim from http://www.danielmiessler.com/study/tcpdump/

A `tcpdump` Tutorial and Primer

tcp_header
Image from securitywizardry.com

[ Check out my latest post on the HP Security Blog: “Thoughts on the Heartbleed Bug” ]

tcpdump is the premier network analysis tool for information security professionals. Having a solid grasp of this über-powerful application is mandatory for anyone desiring a thorough understanding of TCP/IP. Many prefer to use higher level analysis tools such as Ethereal Wireshark, but I believe this to usually be a mistake.

In a discipline so dependent on a true understanding of concepts vs.rote learning, it’s important to stay fluent in the underlying mechanics of the TCP/IP suite. A thorough grasp of these protocols allows one to troubleshoot at a level far beyond the average analyst, but mastery of the protocols is only possible through continued exposure to them.

When using a tool that displays network traffic a more natural (raw) way the burden of analysis is placed directly on the human rather than the application. This approach cultivates continued and elevated understanding of the TCP/IP suite, and for this reason Istrongly advocate using tcpdump instead of other tools whenever possible.

15:31:34.079416 IP (tos 0x0, ttl  64, id 20244, offset 0, flags [DF], 
proto: TCP (6), length: 60) source.35970 > dest.80: S, cksum 0x0ac1 
(correct), 2647022145:2647022145(0) win 5840 0x0000:  4500 003c 4f14 4000 
4006 7417 0afb 0257  E..  0x0010:  4815 222a 8c82 0050 9dc6 5a41 0000 
0000  H."*...P..ZA....  0x0020:  a002 16d0 0ac1 0000 0204 05b4 
0402 080a  ................  0x0030:  14b4 1555 0000 0000 0103 0302

Options

Below are a few options (with examples) that will help you greatly when working with the tool. They’re easy to forget and/or confuse with other types of filters, i.e. ethereal, so hopefully this page can serve as a reference for you, as it does me.

First off, I like to add a few options to the tcpdump command itself, depending on what I’m looking at. The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves always being displayed. The second is -X, which displays both hex and ascii content within the packet. The final one is -S, which changes the display of sequence numbers to absolute rather than relative. The idea there is that you can’t see weirdness in the sequence numbers if they’re being hidden from you. Remember, the advantage of using tcpdump vs. another tool is getting manual interaction with the packets.

It’s also important to note that tcpdump only takes the first 68 96 bytes of data from a packet by default. If you would like to look at more, add the -s number option to the mix, where number is the number of bytes you want to capture. I recommend using 0 (zero) for a snaplength, which gets everything. Here’s a short list of the options I use most:

-i any : Listen on all interfaces just to see if you’re seeing any traffic.
-n : Don’t resolve hostnames.
-nn : Don’t resolve hostnames or port names.
-X : Show the packet’s contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use-s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.

[ The default snaplength as of tcpdump 4.0 has changed from 68 bytes to 96 bytes. While this will give you more of a packet to see, it still won’t get everything. Use -s 1514 to get full coverage ]

Basic Usage

So, based on the kind of traffic I’m looking for, I use a different combination of options to tcpdump, as can be seen below:

Basic communication // see the basics without many options
# tcpdump -nS
Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help
# tcpdump -nnvvS
A deeper look at the traffic // adds -X for payload but doesn’t grab any more of the packet
# tcpdump -nnvvXS
Heavy packet viewing // the final “s” increases the snaplength, grabbing the whole packet
# tcpdump -nnvvXSs 1514

Here’s a capture of exactly two (-c2) ICMP packets (a ping andpong) using some of the options described above. Notice how much we see about each packet.

hermes root # tcpdump -nnvXSs 0 -c2 icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), 23:11:10.370321 IP 
(tos 0x20, ttl  48, id 34859, offset 0, flags [none], length: 84) 
69.254.213.43 > 72.21.34.42: icmp 64: echo request seq 0

        0x0000:  4520 0054 882b 0000 3001 7cf5 45fe d52b  E..T.+..0.|.E..+
        0x0010:  4815 222a 0800 3530 272a 0000 25ff d744  H."*..50'*..%..D
        0x0020:  ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213  .^..............
        0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
        0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
        0x0050:  3435 3637                                4567
23:11:10.370344 IP (tos 0x20, ttl  64, id 35612, offset 0, flags [none], 
length: 84) 72.21.34.42 > 69.254.213.43: icmp 64: echo reply seq 0
        0x0000:  4520 0054 8b1c 0000 4001 6a04 4815 222a  E..T....@.j.H."*
        0x0010:  45fe d52b 0000 3d30 272a 0000 25ff d744  E..+..=0'*..%..D
        0x0020:  ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213  .^..............
        0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
        0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
        0x0050:  3435 3637                                4567
2 packets captured
2 packets received by filter
0 packets dropped by kernel
hermes root #

Common Syntax

Expressions allow you to trim out various types of traffic and find exactly what you’re looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with tcpdump. There are three main types of expression:type, dir, and proto.

Type options are host, net, and port. Direction is indicated by dir, and there you can have src, dst, src or dst, and src and dst. Here are a few that you should definitely be comfortable with:

host // look for traffic based on IP address (also works with hostname if you’re not using -n)
# tcpdump host 1.2.3.4

src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6

net // capture an entire network using CIDR notation
# tcpdump net 1.2.3.0/24

proto // works for tcp, udp, and icmp. Note that you don’t have to typeproto
# tcpdump icmp

port // see only traffic to or from a certain port
# tcpdump port 3389

src, dst port // filter based on the source or destination port
# tcpdump src port 1025
# tcpdump dst port 389

src/dst, port, protocol // combine all three
# tcpdump src port 1025 and tcp
# tcpdump udp and src port 53

You also have the option to filter by a range of ports instead of declaring them individually, and to only see packets that are above or below a certain size.

Port Ranges // see traffic to any port in a range
tcpdump portrange 21-23

Packet Size Filter // only see packets below or above a certain size (in bytes)
tcpdump less 32
tcpdump greater 128

[ You can use the symbols for less than, greater than, and less than or equal / greater than or equal signs as well. ]

// filtering for size using symbols

tcpdump > 32

tcpdump <= 128

Writing to a File

tcpdump allows you to send what you’re capturing to a file for later use using the -w option, and then to read it back using the -roption. This is an excellent way to capture raw traffic and then run it through various tools later.

The traffic captured in this way is stored in tcpdump format, which is pretty much universal in the network analysis space. This means it can be read in by all sorts of tools, including Wireshark, Snort, etc.

Capture all Port 80 Traffic to a File

# tcpdump -s 1514 port 80 -w capture_file

Then, at some point in the future, you can then read the traffic back in like so:

Read Captured Traffic back into `tcpdump`

# tcpdump -r capture_file

Getting Creative

Expressions are nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you’re looking for. There are three ways to do combinations, and if you’ve studied computers at all they’ll be pretty familar to you:

AND
and or &&
OR
or or ||
EXCEPT
not or !

More Examples

# TCP traffic from 10.5.2.3 destined for port 3389

tcpdump -nnvvS and src 10.5.2.3 and dst port 3389

# Traffic originating from the 192.168 network headed for the 10 or 172.16 networks

tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or172.16.0.0/16

# Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network

tcpdump -nvvXSs 1514 dst 192.168.0.2 and src net and not icmp

# Traffic originating from Mars or Pluto that isn’t to the SSH port

tcpdump -vv src mars and not dst port 22

As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what you’re looking for and then to build the syntax to isolate that specific type of traffic.

Grouping

Also keep in mind that when you’re building complex queries you might have to group your options using single quotes. Single quotes are used in order to tell tcpdump to ignore certain special characters — in this case the “( )” brackets. This same technique can be used to group using other expressions such as host, port, net, etc. Take a look at the command below:

# Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22(incorrect)

tcpdump src 10.0.2.4 and (dst port 3389 or 22)

If you tried to run this otherwise very useful command, you’d get an error because of the parenthesis. You can either fix this by escaping the parenthesis (putting a before each one), or by putting the entire command within single quotes:

# Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22(correct)

tcpdump ‘src 10.0.2.4 and (dst port 3389 or 22)’

Advanced

You can also filter based on specific portions of a packet, as well as combine multiple conditions into groups. The former is useful when looking for only SYNs or RSTs, for example, and the latter for even more advanced traffic isolation.

[ Hint: An anagram for the TCP flags: Unskilled Attackers Pester RealSecurity Folk ]

Show me all URGENT (URG) packets…

# tcpdump ‘tcp[13] & 32!=0‘

Show me all ACKNOWLEDGE (ACK) packets…

# tcpdump ‘tcp[13] & 16!=0‘

Show me all PUSH (PSH) packets…

# tcpdump ‘tcp[13] & 8!=0‘

Show me all RESET (RST) packets…

# tcpdump ‘tcp[13] & 4!=0‘

Show me all SYNCHRONIZE (SYN) packets…

# tcpdump ‘tcp[13] & 2!=0‘

Show me all FINISH (FIN) packets…

# tcpdump ‘tcp[13] & 1!=0‘

Show me all SYNCHRONIZE/ACKNOWLEDGE(SYNACK) packets…

# tcpdump ‘tcp[13]=18‘

[ Note: Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump‘s flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]

Keep in mind the reasons these filters work. The filters above find these various packets because tcp[13] looks at offset 13 in the TCP header, the number represents the location within the byte, and the !=0 means that the flag in question is set to 1, i.e. it’s on.

As with most powerful tools, however, there are multiple ways to do things. The example below shows another way to capture packets with specific TCP flags set.

Capture TCP Flags Using the tcpflags Option…

# tcpdump ‘tcp[tcpflags] & & tcp-syn != 0‘

Specialized Traffic

Finally, there are a few quick recipes you’ll want to remember for catching specific and specialized traffic, such as IPv6 and malformed/likely-malicious packets.

IPv6 traffic

# tcpdump ip6

Packets with both the RST and SYN flags set (why?)

# tcpdump ‘tcp[13] = 6’

Traffic with the ‘Evil Bit’ Set

# tcpdump ‘ip[6] & 128 != 0‘

Conclusion

Well, this primer should get you going strong, but the man pageshould always be handy for the most advanced and one-off usage scenarios. I truly hope this has been useful to you, and feel free tocontact me if you have any questions. ::