当前位置:网站首页>How tcpdump filters specific TCP flag bits

How tcpdump filters specific TCP flag bits

2022-06-29 22:44:00 Yaohua

according to tcp The structure of the guarantee is known ,TCP The flag header is located at the... Of the header 14 In bytes , Because the number is from 0 Byte start , therefore TCP The logo header is on the 13 byte .

byte 13 Up to 8 Single bit logo ; however ,TCP Only use 6 A sign . The other two bits are reserved , Should be set to zero .

For those with only one logo TCP head , Each bit has a byte , byte 13 Contains the following decimal binary values .

  • Final (FIN) = 1
  • Sync (SYN) = 2
  • Reset (RST) = 4
  • Push (PSH) = 8
  • Acknowledgement (ACK) = 16
  • Urgent (URG) = 32
  • Reserved = 64 and 128

If TCP The header has multiple flags , byte 13 The value of is the sum of the binary values of all the bits set . for example

  • FIN, ACK = 17 (1 + 16)
  • SYN, ACK = 18 (2 + 16)
  • PSH, ACK = 24 (8 + 16)
  • FIN, PSH = 9 (1 + 8)
  • FIN, PSH, ACK = 25 (1 + 8 + 16)

Filter with SYN give an example 

[[email protected] ~]
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:28:45.929246 IP 113.65.30.42.jomamqmonitor > 10.13.132.171.ssh: Flags [S], seq 356758948, win 64240, options [mss 1412,nop,wscale 8,nop,nop,sackOK], length 0
23:28:55.109148 IP 113.65.30.42.netscript > 10.13.132.171.ssh: Flags [S], seq 1672259268, win 64240, options [mss 1412,nop,wscale 8,nop,nop,sackOK], length 0
23:29:06.584163 IP 128.199.4.167.45848 > 10.13.132.171.ssh: Flags [S], seq 572498397, win 42340, options [mss 1412,sackOK,TS val 2388703754 ecr 0,nop,wscale 8], length 0

If filtering is required SYN+ACK My bag , It is SYN, ACK = 18 (2 + 16). like this 

[[email protected] ~]
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:30:41.332866 IP 10.13.132.171.ssh > 113.65.30.42.macbak: Flags [S.], seq 1578017406, ack 2299936850, win 64952, options [mss 1412,nop,nop,sackOK,nop,wscale 8], length 0
23:30:43.381328 IP 10.13.132.171.ssh > 188.166.240.30.34898: Flags [S.], seq 3237261487, ack 715567311, win 64400, options [mss 1412,sackOK,TS val 498768258 ecr 1839524773,nop,wscale 8], length 0
23:30:45.616443 IP 10.13.132.171.ssh > 113.65.30.42.wcpp: Flags [S.], seq 3406886282, ack 1487533276, win 64952, options [mss 1412,nop,nop,sackOK,nop,wscale 8], length 0
原网站

版权声明
本文为[Yaohua]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/180/202206291304577381.html

边栏推荐

猜你喜欢

随机推荐