Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
2 edits |  How To Remember Your TCP Flags
All People Seem To Need Data Processing.
Well, for those that deal with TCP a lot, I thought it might be helpful to have a mnemonic for the TCP flags as well. What I've come up with is:
Unskilled Attackers Pester Real Security Folks
Unskilled = URG
Attackers = ACK
Pester = PSH
Real = RST
Security = SYN
Folks = FIN
The way this helps me the most is when isolating traffic to capture using Tcpdump. It's possible, for example, to capture only SYNs (new connection requests), only RSTs (immediate session teardowns), or any combination of the six flags really. As noted in my own little Tcpdump tutorial, you can capture these various flags like so:
Find all SYN packets
tcpdump 'tcp[13] & 2 != 0'
Find all RST packets
tcpdump 'tcp[13] & 4 != 0'
Find all ACK packets
tcpdump 'tcp[13] & 16 != 0'
Notice the SYN example has the number 2 in it, the RST the number 4, and the ACK the number 16. These numbers correspond to where the TCP flags fall on the binary scale. So when you write out:
U A P R S F
...that corresponds to:
32 16 8 4 2 1
So as you read the SYN capture (tcpdump 'tcp[13] & 2 != 0'), you're saying find the 13th byte in the TCP header, and only grab packets where the flag in the 2nd bit is not zero. Well if you go from right to left in the UAPRSF string, you see that the spot where 2 falls is where the S is, and that's how why you're capturing only SYN packets when you apply that filter.
Remembering these flags and how to isolate them can go a long way in helping low-level network troubleshooting/security work by isolating what it is you want to see and/or capture. And of course the more you can isolate what you want to see, the faster you can solve the problem. I encourage anyone not making use of this powerful feature already to go ahead and add it to their repertoire.
--
dmiessler.com - grep understanding knowledge |
