Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: This is related to see the traffic in nic

This is related to see the traffic in nic 10 years 11 months ago #12483

Hi,

Friends can any one tell me the use of tcpdump command

and explain this syntax
tcpdump -nn -i eth0 -tq 'tcp[13] == 2'

-nn to tell the address
-i intreface
-t to ignore the time stamp


q ???
'tcp[13] == 2' ????

I dont know the logic of this q and 'tcp[13] == 2'
can any one give me more details in this topic Pls


regards,
Prabhakaran.D
The administrator has disabled public write access.

Re: This is related to see the traffic in nic 10 years 11 months ago #12500

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
After checking the tcpdump man pages, I can tell you that the 'q' stands for 'quick output' - forces to print less protocol information so the output lines are smaller.

The 'tcp[13] == 2' parameter is one I've never used before, but judging from the man pages, it looks like an expression designed to capture specific traffic.

The man pages have an example where it states that
"tcp[0] always means the first byte of the TCP header..."

Using this information we can come to a logical conclusion that the 'tcp[13]' parameter reefers to the 13th byte of the TCP header in a packet. As for the '==2' value, I'm suspecting its got something to do with the TCP flags, but not 100% sure what it means.

Anyone else that can shed some light to this problem ?
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.

Re: This is related to see the traffic in nic 10 years 11 months ago #12502

  • FallenZer0
  • FallenZer0's Avatar
  • Offline
  • Senior Member
  • Posts: 259
  • Karma: 0
Check the below link and it will answer your questions.

www.tcpdump.org/tcpdump_man.html

Its related to the TCP Flags and what type of datagram is sent [SYN, SYN/ACK, ACK, PSH, URG etc]. See how clearly its explained what you were looking for.

Do atleast minimal searches kiddo. Read RFC-793


Recall the structure of a TCP header without options:

0 15 31
| source port | destination port |
| sequence number |
| acknowledgment number |
| HL | rsvd |C|E|U|A|P|R|S|F| window size |
| TCP checksum | urgent pointer |

A TCP header usually holds 20 octets of data, unless
options are present. The first line of the graph contains
octets 0 - 3, the second line shows octets 4 - 7 etc.

Starting to count with 0, the relevant TCP control bits
are contained in octet 13:

0 7| 15| 23| 31
|
|
|
| HL | rsvd |C|E|U|A|P|R|S|F| window size |
|
|
|
| | 13th octet | | |

Let's have a closer look at octet no. 13:

| |
|
|
|7 5 3 0|

These are the TCP control bits we are interested in. We
have numbered the bits in this octet from 0 to 7, right to
left, so the PSH bit is bit number 3, while the URG bit is
number 5.

Recall that we want to capture packets with only SYN set.
Let's see what happens to octet 13 if a TCP datagram
arrives with the SYN bit set in its header:

|C|E|U|A|P|R|S|F|
|
|
|0 0 0 0 0 0 1 0|
|
|
|7 6 5 4 3 2 1 0|

Looking at the control bits section we see that only bit
number 1 (SYN) is set.

Assuming that octet number 13 is an 8-bit unsigned integer
in network byte order, the binary value of this octet is

00000010

and its decimal representation is

7 6 5 4 3 2 1 0
0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 1*2 + 0*2 = 2

We're almost done, because now we know that if only SYN is
set, the value of the 13th octet in the TCP header, when
interpreted as a 8-bit unsigned integer in network byte
order, must be exactly 2.

This relationship can be expressed as
tcp[13] == 2
-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
The administrator has disabled public write access.

Re: This is related to see the traffic in nic 10 years 11 months ago #12555

www.tcpdump.org/

This will answer all your queries!
The administrator has disabled public write access.

Re: This is related to see the traffic in nic 10 years 11 months ago #12598

  • FallenZer0
  • FallenZer0's Avatar
  • Offline
  • Senior Member
  • Posts: 259
  • Karma: 0
www.tcpdump.org/

This will answer all your queries!

--Make sure you read the posts above, before you double post the same thing.
-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
The administrator has disabled public write access.
Time to create page: 0.088 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup