Tuesday, December 8, 2015

a few not so basic windump examples

Verify IP verion is 4windump -nvv -r filename.pcap -X "ip[0] & 0xF0 = 0x40"

Verify IP header has no options. That is the IP header is 20 bytes
windump -nvv -r filename.pcap -X "ip[0] & 0x0F = 0x5"

Verify that IP protocl is ICMP

windump -nvv -r filename.pcap -X "ip[9] = 0x01"

Verify that IP protocol is UDP
windump -nvv -r filename.pcap -X "ip[9] = 0x11"

Verify that IP protocol is TCP
windump -nvv -r filename.pcap -X "ip[9] = 0x06"

Determine time to live is less than 128
windump -nvv -r filename.pcap -X "ip[8] < 128"

Tracking IP packets with More Fragments flag set
windump -nvv -r filename.pcap -X ip[6] = 0x20

Verifying that source IP is 10.0.0.6
windump -nvv -r filename.pcap -X "ip[12] = 0x0a && ip[13] = 0x00 && ip[14] = 0x00 && ip[15] = 0x06"

Verifying that destination IP is 151.164.1.8
windump -nvv -r filename.pcap -X "ip[16] = 0x97 && ip[17] = 0xa4 && ip[18] = 0x01 && ip[19] = 0x08"

All traffic from tcp source port = 23
windump -nn -r filename.pcap -X "tcp[0:2] = 23"

All traffic from tcp dst port 1254
windump -nn -r filename.pcap -X "tcp[2:2] = 1254"

All packets with SYN flag set
windump -nn -r filename.pcap -X "tcp[13] = 0x02"

All packets with SYN/ACK flags set
windump -nn -r filename.pcap -X "tcp[13] = 0x12

All packets with FIN flag set
windump -nn -r filename.pcap "tcp[13] & 0x01 = 0x01"

Looks for TCP packets with header length greater than 20 bytes
windump -nn -r filename.pcap "tcp[12] & 0xF0 > 0x50"

Look for packets with the PUSH flag set
windump -nn -r filename.pcap "tcp[13] & 0x08 = 0x08"

References
http://www.tcpdump.org/tcpdump_man.html


Additional Materials
https://www.comparitech.com/net-admin/tcpdump-cheat-sheet/



No comments:

Post a Comment