Verify IP verion is 4windump -nvv -r filename.pcap -X "ip[0] & 0xF0 = 0x40"
Verify IP header has no options. That is the IP header is 20 bytes
windump -nvv -r filename.pcap -X "ip[0] & 0x0F = 0x5"
Verify that IP protocl is ICMP
windump -nvv -r filename.pcap -X "ip[9] = 0x01"
Verify that IP protocol is UDP
windump -nvv -r filename.pcap -X "ip[9] = 0x11"
Verify that IP protocol is TCP
windump -nvv -r filename.pcap -X "ip[9] = 0x06"
Determine time to live is less than 128
windump -nvv -r filename.pcap -X "ip[8] < 128"
Tracking IP packets with More Fragments flag set
windump -nvv -r filename.pcap -X ip[6] = 0x20
Verifying that source IP is 10.0.0.6
windump -nvv -r filename.pcap -X "ip[12] = 0x0a && ip[13] = 0x00 && ip[14] = 0x00 && ip[15] = 0x06"
Verifying that destination IP is 151.164.1.8
windump -nvv -r filename.pcap -X "ip[16] = 0x97 && ip[17] = 0xa4 && ip[18] = 0x01 && ip[19] = 0x08"
All traffic from tcp source port = 23
windump -nn -r filename.pcap -X "tcp[0:2] = 23"
All traffic from tcp dst port 1254
windump -nn -r filename.pcap -X "tcp[2:2] = 1254"
All packets with SYN flag set
windump -nn -r filename.pcap -X "tcp[13] = 0x02"
All packets with SYN/ACK flags set
windump -nn -r filename.pcap -X "tcp[13] = 0x12
All packets with FIN flag set
windump -nn -r filename.pcap "tcp[13] & 0x01 = 0x01"
Looks for TCP packets with header length greater than 20 bytes
windump -nn -r filename.pcap "tcp[12] & 0xF0 > 0x50"
Look for packets with the PUSH flag set
windump -nn -r filename.pcap "tcp[13] & 0x08 = 0x08"
References
http://www.tcpdump.org/tcpdump_man.html
Additional Materials
https://www.comparitech.com/net-admin/tcpdump-cheat-sheet/
No comments:
Post a Comment