Folks,
I'm actually using Windump.exe but it's just a port of tcpdump for win32...
The following statement (from the manpage) should capture all SYN and FIN
traffic
- tcpdump 'tcp[13] & 3 != 0 and not src and dst net localnet'
What I don't understand is how to traslate tcp[13] and 3 (or tcp[3]). I do
understand about TCP handshakes and I can see where the !=0 comes into play
but I can't find the [13] info in the packet. The man page says it's the
byte offset from the protocol in question, and that does match up. the TCP
section is at off: 34 (x22) and 13 bytes after that is 47 (x2F), that puts
me at the TCP flags summary.
The following is a simple port scan port TCP/139 to host2 from host1.
After looking at this scan using M$ network monitor I can see that the first
2 handshake packets are logged, 1st packet has SYN, 2nd has SYN-ACK, and the
last 2/3 packets have FIN-ACK and FIN-ACK set (normal). Knowing about the
SYN, ACK and FIN packets and can gatehr that's where the expr '!=0' comes
into play because they are all '1'. Can someone explain the tcp[13] and the
tcp[3] to me?
windump: listening on\Device\Packet_{CC3ED418-E76E-4062-B5C5-4BCDC13A4AFA}
17:55:24.969794 host1.1429 > host2.139: S 4267803795:4267803795(0) win 16384
(DF)
4500 0030 1d65 4000 7c06 d87b ab4e 0345
8021 da32 0595 008b fe61 8493 0000 0000
7002 4000 b122 0000 0204 05b4 0101 0402
17:55:24.970018 host2.139 > host1.1429: S 3666998063:3666998063(0) ack
4267803796 win 17520 (DF)
4500 0030 4385 4000 8006 ae5b 8021 da32
ab4e 0345 008b 0595 da91 f32f fe61 8494
7012 4470 dedf 0000 0204 05b4 0101 0402
17:55:25.008545 host2.genuity.com.1429 > host1.139: F 1:1(0) ack 1 win 17520
(DF)
4500 0028 1d67 4000 7c06 d881 ab4e 0345
8021 da32 0595 008b fe61 8494 da91 f330
5011 4470 0ba3 0000 e712 8418 4130
17:55:25.008673 host1.139 > host2.1429: F 1:1(0) ack 2 win 17520 (DF)
4500 0028 4387 4000 8006 ae61 8021 da32
ab4e 0345 008b 0595 da91 f330 fe61 8495
5011 4470 0ba2 0000
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.