- Posts: 17
- Thank you received: 0
This is related to see the traffic in nic
- iamprabhu100
- Topic Author
- Offline
- New Member
Less
More
18 years 11 months ago #12483
by iamprabhu100
This is related to see the traffic in nic was created by iamprabhu100
Hi,
Friends can any one tell me the use of tcpdump command
and explain this syntax
tcpdump -nn -i eth0 -tq 'tcp[13] == 2'
-nn to tell the address
-i intreface
-t to ignore the time stamp
q ???
'tcp[13] == 2' ????
I dont know the logic of this q and 'tcp[13] == 2'
can any one give me more details in this topic Pls
regards,
Prabhakaran.D
Friends can any one tell me the use of tcpdump command
and explain this syntax
tcpdump -nn -i eth0 -tq 'tcp[13] == 2'
-nn to tell the address
-i intreface
-t to ignore the time stamp
q ???
'tcp[13] == 2' ????
I dont know the logic of this q and 'tcp[13] == 2'
can any one give me more details in this topic Pls
regards,
Prabhakaran.D
18 years 11 months ago #12500
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: This is related to see the traffic in nic
After checking the tcpdump man pages, I can tell you that the 'q' stands for 'quick output' - forces to print less protocol information so the output lines are smaller.
The 'tcp[13] == 2' parameter is one I've never used before, but judging from the man pages, it looks like an expression designed to capture specific traffic.
The man pages have an example where it states that
"tcp[0] always means the first byte of the TCP header..."
Using this information we can come to a logical conclusion that the 'tcp[13]' parameter reefers to the 13th byte of the TCP header in a packet. As for the '==2' value, I'm suspecting its got something to do with the TCP flags, but not 100% sure what it means.
Anyone else that can shed some light to this problem ?
The 'tcp[13] == 2' parameter is one I've never used before, but judging from the man pages, it looks like an expression designed to capture specific traffic.
The man pages have an example where it states that
"tcp[0] always means the first byte of the TCP header..."
Using this information we can come to a logical conclusion that the 'tcp[13]' parameter reefers to the 13th byte of the TCP header in a packet. As for the '==2' value, I'm suspecting its got something to do with the TCP flags, but not 100% sure what it means.
Anyone else that can shed some light to this problem ?
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
- FallenZer0
- Offline
- Premium Member
Less
More
- Posts: 259
- Thank you received: 0
18 years 11 months ago #12502
by FallenZer0
-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
Replied by FallenZer0 on topic Re: This is related to see the traffic in nic
Check the below link and it will answer your questions.
www.tcpdump.org/tcpdump_man.html
Its related to the TCP Flags and what type of datagram is sent [SYN, SYN/ACK, ACK, PSH, URG etc]. See how clearly its explained what you were looking for.
Do atleast minimal searches kiddo. Read RFC-793
Recall the structure of a TCP header without options:
0 15 31
| source port | destination port |
| sequence number |
| acknowledgment number |
| HL | rsvd |C|E|U|A|P|R|S|F| window size |
| TCP checksum | urgent pointer |
A TCP header usually holds 20 octets of data, unless
options are present. The first line of the graph contains
octets 0 - 3, the second line shows octets 4 - 7 etc.
Starting to count with 0, the relevant TCP control bits
are contained in octet 13:
0 7| 15| 23| 31
|
|
|
| HL | rsvd |C|E|U|A|P|R|S|F| window size |
|
|
|
| | 13th octet | | |
Let's have a closer look at octet no. 13:
| |
|
|
|7 5 3 0|
These are the TCP control bits we are interested in. We
have numbered the bits in this octet from 0 to 7, right to
left, so the PSH bit is bit number 3, while the URG bit is
number 5.
Recall that we want to capture packets with only SYN set.
Let's see what happens to octet 13 if a TCP datagram
arrives with the SYN bit set in its header:
|C|E|U|A|P|R|S|F|
|
|
|0 0 0 0 0 0 1 0|
|
|
|7 6 5 4 3 2 1 0|
Looking at the control bits section we see that only bit
number 1 (SYN) is set.
Assuming that octet number 13 is an 8-bit unsigned integer
in network byte order, the binary value of this octet is
00000010
and its decimal representation is
7 6 5 4 3 2 1 0
0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 1*2 + 0*2 = 2
We're almost done, because now we know that if only SYN is
set, the value of the 13th octet in the TCP header, when
interpreted as a 8-bit unsigned integer in network byte
order, must be exactly 2.
This relationship can be expressed as
tcp[13] == 2
www.tcpdump.org/tcpdump_man.html
Its related to the TCP Flags and what type of datagram is sent [SYN, SYN/ACK, ACK, PSH, URG etc]. See how clearly its explained what you were looking for.
Do atleast minimal searches kiddo. Read RFC-793
Recall the structure of a TCP header without options:
0 15 31
| source port | destination port |
| sequence number |
| acknowledgment number |
| HL | rsvd |C|E|U|A|P|R|S|F| window size |
| TCP checksum | urgent pointer |
A TCP header usually holds 20 octets of data, unless
options are present. The first line of the graph contains
octets 0 - 3, the second line shows octets 4 - 7 etc.
Starting to count with 0, the relevant TCP control bits
are contained in octet 13:
0 7| 15| 23| 31
|
|
|
| HL | rsvd |C|E|U|A|P|R|S|F| window size |
|
|
|
| | 13th octet | | |
Let's have a closer look at octet no. 13:
| |
|
|
|7 5 3 0|
These are the TCP control bits we are interested in. We
have numbered the bits in this octet from 0 to 7, right to
left, so the PSH bit is bit number 3, while the URG bit is
number 5.
Recall that we want to capture packets with only SYN set.
Let's see what happens to octet 13 if a TCP datagram
arrives with the SYN bit set in its header:
|C|E|U|A|P|R|S|F|
|
|
|0 0 0 0 0 0 1 0|
|
|
|7 6 5 4 3 2 1 0|
Looking at the control bits section we see that only bit
number 1 (SYN) is set.
Assuming that octet number 13 is an 8-bit unsigned integer
in network byte order, the binary value of this octet is
00000010
and its decimal representation is
7 6 5 4 3 2 1 0
0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 1*2 + 0*2 = 2
We're almost done, because now we know that if only SYN is
set, the value of the 13th octet in the TCP header, when
interpreted as a 8-bit unsigned integer in network byte
order, must be exactly 2.
This relationship can be expressed as
tcp[13] == 2
-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
- n_arvind2000
- Offline
- New Member
Less
More
- Posts: 18
- Thank you received: 0
18 years 11 months ago #12555
by n_arvind2000
Replied by n_arvind2000 on topic Re: This is related to see the traffic in nic
- FallenZer0
- Offline
- Premium Member
Less
More
- Posts: 259
- Thank you received: 0
18 years 11 months ago #12598
by FallenZer0
--Make sure you read the posts above, before you double post the same thing.
-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
Replied by FallenZer0 on topic Re: This is related to see the traffic in nic
www.tcpdump.org/
This will answer all your queries!
--Make sure you read the posts above, before you double post the same thing.
-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
Time to create page: 0.141 seconds