Code: |
-nXvs 0 tcp and host 10.10.10.100 and (tcp[13] & 2 !=0) |
Code: |
URG - ACK - PSH - RST - SYN - FYN
32 16 8 4 2 1 |
Code: |
-nXvs 0 tcp and host 192.168.2.100 and ((tcp[13] & 16 !=0) and (tcp[13] & 8 !=0)) |
Code: |
-nXvs 0 tcp and host 10.10.10.100 and host 192.168.2.100 and ((tcp[13] & 16 !=0) and (tcp[13] & 8 !=0)) |
Code: |
-nXvs 0 tcp and host 10.10.10.100 and host 192.168.2.100 and dst port 80 and ((tcp[13] & 16 !=0) and (tcp[13] & 8 !=0)) |
Code: |
tcpdump -r file_name -nXvs 1514 tcp[13] = 18 |
alt.don wrote: | ||
Bit Masking Simplified
Please note that the value of 20 equates to the decimal value of the flags you want to find. In this case 20 equals both Syn and Ack flags being set in the 13th byte in the TCP header. |
Code: |
tcpdump -F filter_name -r file_name -nXvs 1514 where filter_name contains:(accessed via vi) tcp[13] & 2 !=0 and tcp[13] & 16 !=0 or you can use: tcp[13] == 18 (instead of 20) |
Quote: |
Lastly it all comes down to also knowing your core protocols as well. |
output generated using printer-friendly topic mod, All times are GMT + 2 Hours