Posted: Thu Nov 04, 2004 4:24 pm Post subject: Complete list of byte offsets for filtering with TCPDump
After wandering the net for TCPDump papers I've found some quite good info for those dealing with large traffic log files; TCPDump Bit masking.
Filtering with TCPDump using bit masking ends up to be a good practicing tool (and also very helpful) for those seeking a solid knowledge on tcpdump applicabillity.
If you do a search about bitmasking you will find more information on this subject. Click Here for more info.
Expressions
Code:
[x:y] start at offset x from the beginning of packet and read y bytes
[x] abbreviation for [x:1]
proto[x:y] start at offset x into the proto header and read y bytes
p[x:y] & z = 0 p[x:y] has none of the bits selected by z
p[x:y] & z != 0 p[x:y] has any of the bits selected by z
p[x:y] & z = z p[x:y] has all of the bits selected by z
p[x:y] = z p[x:y] has only the bits selected by z
IP byte offsets
Code:
ip[0] & 0x0f - protocol version
ip[0] & 0xf0 - protocol options
ip[0] & 0xff00 - internet header length
ip[1] - TOS
ip[2:2] - Total length
ip[4:2] - IP identification
ip[6] & 0xa - IP flags
ip[6:2] & 0x1fff - fragment offset area
ip[8] - TTL
ip[9] - protocol field
ip[10:2] - header checksum
ip[12:4] - src IP address
ip[16:4] - dst IP address
ip[20:3] - options
ip[24] - padding
TCP byte offsets
Code:
tcp[0:2] - src port
tcp[2:2] - dst port
tcp[4:4] - seq number
tcp[8:4] - ack number
tcp[12] & 0x00ff - data offset
tcp[12] & 0xff00 - reserved
tcp[13] - tcp flags
tcp[13] & 0x3f = 0 - no flags set (null packet)
tcp[13] & 0x11 = 1 - FIN set and ACK not set
tcp[13] & 0x03 = 3 - SYN set and FIN set
tcp[13] & 0x05 = 5 - RST set and FIN set
tcp[13] & 0x06 = 6 - SYN set and RST set
tcp[13] & 0x18 = 8 - PSH set and ACK not set
tcp[13] & 0x30 = 0x20 - URG set and ACK not set
tcp[13] & 0xc0 != 0 - >= one of the reserved bits of tcp[13] is set
tcp[14:2] - window
tcp[16:2] - checksum
tcp[18:2] - urgent pointer
tcp[20:3] - options
tcp[23] - padding
tcp[24] - data
Detail on Flags:
Flags Numerically Meaning
===== =========== =======
---- --S- 0000 0010 = 0x02 normal syn
---A --S- 0001 0010 = 0x12 normal syn-ack
---A ---- 0001 0000 = 0x10 normal ack
--UA P--- 0011 1000 = 0x38 psh-urg-ack. interactive stuff like ssh
---A -R-- 0001 0100 = 0x14 rst-ack. it happens.
---- --SF 0000 0011 = 0x03 syn-fin scan
--U- P--F 0010 1001 = 0x29 urg-psh-fin. nmap fingerprint packet
-Y-- ---- 0100 0000 = 0x40 anything >= 0x40 has a reserved bit set
XY-- ---- 1100 0000 = 0xC0 both reserved bits set
XYUA PRSF 1111 1111 = 0xFF FULL_XMAS scan
UDP byte offsets
Code:
udp[0:2] - src port
udp[2:2] - dst port
udp[4:2] - length
udp[6:2] - checksum
udp[8:4] - first 4 octets of data
ICMP byte offsets
Code:
icmp[0] - type
icmp[1] - code
icmp[3:2] - checksum
Destination Unreachable:
icmp[0] = 0x3 (3)
icmp[4:4] - unused (per RFC]
icmp[8:4] - internet header + 64 bits original data
icmp[1] - 0 = net unreachable;
- 1 = host unreachable;
- 2 = protocol unreachable;
- 3 = port unreachable;
- 4 = fragmentation needed and DF set;
- 5 = source route failed.
Time Exceeded:
icmp[0] = 0xB (11)
icmp[4:4] - unused (per RFC]
icmp[8:4] - internet header + 64 bits original data
icmp[1] - 0 = TTL exceeded intransit
- 1 = fragment reassembly time exceeded
Parameter Problem:
icmp[0] = 0xC (12)
icmp[1] - 0 = pointer indicates error
icmp[4] - pointer
icmp[5:3] - unused, per RFC
icmp[8:4] - internet header + 64 bits original data
Source Quench:
icmp[0] = 0x4 (4)
icmp[1] - 0 = may be received by gateway or host
icmp[4:4] - unused, per RFC
icmp[8:4] - internet header + 64 bits original data
Redirect Message:
icmp[0] = 0x5 (5)
icmp[1] - 0 = redirect for network
- 1 = redirect for host
- 2 = redirect for TOS & network
- 3 = redirect for TOS & host
icmp[4:4] - gateway internet address
icmp[8:4] - internet header + 64 bits original data
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum