Tcpdump captures TCP identifiers

Tcpdump captures TCP identifiers

According to each 8-bit group, the TCP flag is located in the 13th 8-bit group, as shown in the following figure. The first row contains 32 digits ranging from 0 to 3 8-bit groups, the second row is a 4-7 eight-bit group, and the third row is a 8-11 eight-bit group. The first four of Data Offset + reserved are 12th eight-bit groups, in the reserved, the last 2 + 6 flag bits are 13th octal groups.

The following TCP Header

Therefore, the structure of the 13th-bit group is

--++

The first two are reserved, all are 0, and the next six have different values according to different situations. For example, the SYN packet is

00 0 0 0 1 0

This is a binary conversion to 2 in decimal format.

Therefore, tcpdump-Ni eth0 TCP [13] = 2 indicates the SYN packet.

Similarly, the SYN + ACK packet is

00 0 1 0 0 1 0

Therefore, tcpdump-Ni eth0 TCP [13] = 18 indicates the SYN + ACK packet.

If you want to capture both SYN and SYN + ACK packets, perform the following operations on the TCP [13] bit value and mask:

TCP [13] & 2 = 2

In addition, you can use the format TCP [tcpflags] = TCP-Syn to write data. The following values can be TCP-fin, TCP-Syn, TCP-rst, and tcppush, TCP-ack or TCP-URG.

Example

1. Print the start and end packets in the TCP session, and the source or destination of the packets is not the host on the local network.

Tcpdump 'tcp [tcpflags] & (TCP-SYN | TCP-fin )! = 0 and not SRC and DST net localnet'

Localnet, the name of the local network must be replaced in actual use

2. Print all source or destination ports that are 80, the network layer protocol is IPv4, and contain data, rather than SYN, FIN, ack-only, and other non-data packets.

Tcpdump 'tcp port 80 and (IP [2]-(IP [0] & 0xf) <2)-(TCP [12] & 0xf0)> 2 ))! = 0 )'

IP Address [2] indicates the length of the entire IP packet; (IP Address [0] & 0xf) <2) the length of the IP packet header (IP [0] & 0xf indicates the IHL field in the package, and the unit of this field is 32 bit. to convert it to the number of nodes, multiply it by 4, that is, shift left 2 ); (TCP [12] & 0xf0)> 4 indicates the length of the TCP Header. The unit of this field is also 32bit, which is converted to the number of BITs (TCP [12] & 0xf0)> 4) <2, that is, (TCP [12] & 0xf0)> 2)

Original

[1] http://hi.baidu.com/nanjidegou/item/7d144cc0f3499252ac00efe7

[2] http://www.cnblogs.com/ggjucheng/archive/2012/01/14/2322659.html

[3] http://blog.chinaunix.net/uid-7934175-id-3379372.html