Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
2 edits |  How To Remember Your TCP Flags
Many people are familiar with the concept of a mnemonic [nəˈmɑnɪk] -- a memory device that uses a phrase based on the first letter of words in a list. Perhaps the most popular of these in the field of networking is the one for the OSI Model. The mnemonic is:
All People Seem To Need Data Processing.
Well, for those that deal with TCP a lot, I thought it might be helpful to have a mnemonic for the TCP flags as well. What I've come up with is:
Unskilled Attackers Pester Real Security Folks
Unskilled = URG
Attackers = ACK
Pester = PSH
Real = RST
Security = SYN
Folks = FIN
The way this helps me the most is when isolating traffic to capture using Tcpdump. It's possible, for example, to capture only SYNs (new connection requests), only RSTs (immediate session teardowns), or any combination of the six flags really. As noted in my own little Tcpdump tutorial, you can capture these various flags like so:
Find all SYN packets
tcpdump 'tcp[13] & 2 != 0'
Find all RST packets
tcpdump 'tcp[13] & 4 != 0'
Find all ACK packets
tcpdump 'tcp[13] & 16 != 0'
Notice the SYN example has the number 2 in it, the RST the number 4, and the ACK the number 16. These numbers correspond to where the TCP flags fall on the binary scale. So when you write out:
U A P R S F
...that corresponds to:
32 16 8 4 2 1
So as you read the SYN capture (tcpdump 'tcp[13] & 2 != 0'), you're saying find the 13th byte in the TCP header, and only grab packets where the flag in the 2nd bit is not zero. Well if you go from right to left in the UAPRSF string, you see that the spot where 2 falls is where the S is, and that's how why you're capturing only SYN packets when you apply that filter.
Remembering these flags and how to isolate them can go a long way in helping low-level network troubleshooting/security work by isolating what it is you want to see and/or capture. And of course the more you can isolate what you want to see, the faster you can solve the problem. I encourage anyone not making use of this powerful feature already to go ahead and add it to their repertoire.
--
dmiessler.com - grep understanding knowledge |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| Here's a nice collection of filters:
»www.rdrs.net/document/src/tcpdump.filters
--
dmiessler.com - grep understanding knowledge |
|
Da Geek Kid
join:2003-10-11
Mclean, VA | reply to Daniel
Just a quick update... the link to the filters is dead.. 
any updates on that...
TIA... |
|
PetePuma
How many lumps do you want
Premium,MVM
join:2002-06-13
Arlington, VA | »www.rdrs.net/document/tcpdump.filters |
|
Da Geek Kid
join:2003-10-11
Mclean, VA | reply to Daniel
LOL ROF... Feel like an AR$$$ ...
"I shoulda thunk a DAT"
Thanks PetePuma  |
|
