I was trying to capture some data the other day and was using TCPDump. This is really for my own needs but I like to share when I can.
Here are a few flags to use when trying to capture certain data types in TCP.
There are more and you can read online to find more if needed.
Sniff all SYN flagged packets:
root@bt:~# tcpdump 'tcp[13] & 2 != 0'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C
ctrl+c: Indicates that I stopped the capture.
0 packets captured
0 packets received by filter
0 packets dropped by kernel
With the above resulting output.
Sniff all PSH flagged packets:
root@bt:~# tcpdump 'tcp[13] & 8 != 0'
Sniff all URG flagged packets:
root@bt:~# tcpdump 'tcp[13] & 32 != 0'
Sniff all RST flagged packets:
root@bt:~# tcpdump 'tcp[13] & 4 != 0'
Sniff all ACK flagged packets:
root@bt:~# tcpdump 'tcp[13] & 16 != 0'
Sniff all FIN flagged packets:
root@bt:~# tcpdump 'tcp[13] & 1 != 0'
Sniff all SYN-ACK flagged packets:
root@bt:~# tcpdump 'tcp[13] = 18'
No comments:
Post a Comment