TCPDUMP and magic

Ali R.

Published Oct 10, 2015

I recently rediscovered tcpdump. Many people I know use it to troubleshoot problems and their methods work something like this:

Oh look. Something in this building does not look right. We seem to be losing information. Well, lets watch EVERYBODY going out and coming in and check them for everything they're carrying. Their pockets, their bags, heck, lets have them walk through an X-Ray machine.

That, in a nutshell, is how tcpdump is used. Turn it on to capture everything on a given interface and then wait and watch all traffic.

Since privacy is not enforced on packet traffic as much as it would be were we strip searching everyone entering and leaving a building, we can do deep packet inspection (to try and figure out the cause of our current problem, or opportunity, or challenge, or call it what you will.) on all packets. The problem, well, imagine strip searching 10 people a second with a semi-truck worth of stuff on them...oh, and just one person searching them all. Now, the task begins to take on some semblance of the reality of the work of a security "expert". Wouldn't it be awesome if we could pinpoint the 5 people we wanted to check...and not just that, what if we could also find the physical location on that person (with a semi-truck worth of stuff - number, not value) to look for our items of interest?

tcpdump allows us to do just that!

Imagine you want to see what packets are involved in creating a new session...well, TCP packets contain the SYN flag set to 1 in the 14th byte. So the command tcpdump 'tcp[13] & 2 != 0' gets you all packets where SYN flags are 1.

The command? Here's the breakdown:

The TCP packet has 2 bytes each for the SRC Port and the DST Port, 8 bytes each for the SEQ# and the ACK#, half a byte each (4 bits) for the Header Length and for a Reserved (something) Location. That makes a total of 13 bytes.

Now, the 14th byte is broken up into 8 bits. Skipping the 128th and 64th bit, we have the 6 Flags, in sequence, URG at the 32nd position, ACK at the 16th, PSH at the 8th, RST at the 4th, SYN at the 2nd and FIN at the 1st. So thats where the 2!=0 comes in. If you wanted to see packets with SYN and ACK, it would have been (ACK at 16+2 for SYN, which gives us)18!=0.

Simple as that.

Alternatively, just use Wireshark and let nerds/geeks (difference?) like me have all the fun ;)

To view or add a comment, sign in

TCPDUMP and magic

Ali R.

More articles by Ali R.

Others also viewed

Mythos found blind spots SAST and Fuzzing missed for ~30 years!

FFmpeg is a weapon. Secure it before you ship.

A demystifying explanation of the 'Halting problem'

Jigsaw CTF Walkthrough

Mikrotik: Masquerade Feature Analysis

How to Decrypt WPA3 Packet Captures: A Step-by-Step Guide

The Perfect Exploit

🛠️ RtlCreateUserProcess

Product Security News [05/2019]

FIPS dynamic feature, a new convenient way to configure FIPS modes in your containers and charts

Explore content categories

More articles by Ali R.

The Zen of Stress

The Best Part of Success - Failure

The Security Buzzword

Whether 'tis nobler...to suffer the slings and arrows.

Logs: Where I discovered Big Data in my own backyard and found Microsoft and their Codes and Splunk (an expensive but invaluable tool)

To Sec or not to Sec....That's the question.

Whyto: Host your own website

Howto: Backups and Cron in Linux