http://www.dslreports.com/forum/r14246114 en Fri, 04 Dec 2009 10:37:55 EDT Fri, 04 Dec 2009 10:37:55 EDT http://www.dslreports.com/forum/remark,14663951 Da Geek Kid : LOL ROF... Feel like an AR$$$ ...

"I shoulda thunk a DAT"

Thanks PetePuma ]]> http://www.dslreports.com/forum/remark,14663951 Wed, 26 Oct 2005 16:19:47 EDT http://www.dslreports.com/forum/remark,14663900 PetePuma : »www.rdrs.net/document/tcpdump.filters]]> http://www.dslreports.com/forum/remark,14663900 Wed, 26 Oct 2005 16:13:50 EDT http://www.dslreports.com/forum/remark,14663825 Da Geek Kid : Just a quick update... the link to the filters is dead.. :)
any updates on that...

TIA...]]> http://www.dslreports.com/forum/remark,14663825 Wed, 26 Oct 2005 16:02:47 EDT http://www.dslreports.com/forum/remark,14247541 Daniel : Here's a nice collection of filters:
»www.rdrs.net/document/src/tcpdump.filters
--
dmiessler.com - grep understanding knowledge]]> http://www.dslreports.com/forum/remark,14247541 Mon, 29 Aug 2005 15:24:47 EDT http://www.dslreports.com/forum/remark,14246114 Daniel : Many people are familiar with the concept of a mnemonic [nəˈmɑnɪk] -- a memory device that uses a phrase based on the first letter of words in a list. Perhaps the most popular of these in the field of networking is the one for the OSI Model. The mnemonic is:

All People Seem To Need Data Processing.

Well, for those that deal with TCP a lot, I thought it might be helpful to have a mnemonic for the TCP flags as well. What I've come up with is:

Unskilled Attackers Pester Real Security Folks

Unskilled = URG
Attackers = ACK
Pester = PSH
Real = RST
Security = SYN
Folks = FIN

The way this helps me the most is when isolating traffic to capture using Tcpdump. It's possible, for example, to capture only SYNs (new connection requests), only RSTs (immediate session teardowns), or any combination of the six flags really. As noted in my own little Tcpdump tutorial, you can capture these various flags like so:

Find all SYN packets
tcpdump 'tcp[13] & 2 != 0'

Find all RST packets
tcpdump 'tcp[13] & 4 != 0'

Find all ACK packets
tcpdump 'tcp[13] & 16 != 0'

Notice the SYN example has the number 2 in it, the RST the number 4, and the ACK the number 16. These numbers correspond to where the TCP flags fall on the binary scale. So when you write out:

U A P R S F

...that corresponds to:

32 16 8 4 2 1

So as you read the SYN capture (tcpdump 'tcp[13] & 2 != 0'), you're saying find the 13th byte in the TCP header, and only grab packets where the flag in the 2nd bit is not zero. Well if you go from right to left in the UAPRSF string, you see that the spot where 2 falls is where the S is, and that's how why you're capturing only SYN packets when you apply that filter.

Remembering these flags and how to isolate them can go a long way in helping low-level network troubleshooting/security work by isolating what it is you want to see and/or capture. And of course the more you can isolate what you want to see, the faster you can solve the problem. I encourage anyone not making use of this powerful feature already to go ahead and add it to their repertoire.
--
dmiessler.com - grep understanding knowledge]]> http://www.dslreports.com/forum/remark,14246114 Mon, 29 Aug 2005 11:56:16 EDT