LinuxQuestions.org

LinuxQuestions.org (http://www.linuxquestions.org/questions/index.php)
-   Linux - Networking (http://www.linuxquestions.org/questions/forumdisplay.php?f=3)
-   -   Tcpdump : Capturing TCP packets with particular flag combinations (http://www.linuxquestions.org/questions/showthread.php?t=669979)

apit 09-15-2008 03:20 AM

Tcpdump : Capturing TCP packets with particular flag combinations
 
I got this infor from tcpdump website.

Quote:

There are 8 bits in the control bits section of the TCP header:

CWR | ECE | URG | ACK | PSH | RST | SYN | FIN

Let's assume that we want to watch packets used in establishing a TCP connection. Recall that TCP uses a 3-way handshake protocol when it initializes a new connection; the connection sequence with regard to the TCP control bits is

1) Caller sends SYN

2) Recipient responds with SYN, ACK

3) Caller sends ACK

Now we're interested in capturing packets that have only the SYN bit set (Step 1). Note that we don't want packets from step 2 (SYN-ACK), just a plain initial SYN. What we need is a correct filter expression for tcpdump.

Recall the structure of a TCP header without options:

http://www.eratraining2u.com/pic/tcp.png


A TCP header usually holds 20 octets of data, unless options are present. The first line of the graph contains octets 0 - 3, the second line shows octets 4 - 7 etc.

Starting to count with 0, the relevant TCP control bits are contained in octet 13:


http://www.eratraining2u.com/pic/tcp2.png

Let's have a closer look at octet no. 13:


http://www.eratraining2u.com/pic/tcp3.png

These are the TCP control bits we are interested in. We have numbered the bits in this octet from 0 to 7, right to left, so the PSH bit is bit number 3, while the URG bit is number 5.
Questions

1- The size of TCP header is 32 bit or equal to 4 byte or 4 octets. From the statement above, it said that "TCP header usually holds 20 octets of data". Actually what is 20 octets meant?

2- From the statement below also said that "Starting to count with 0, the relevant TCP control bits are contained in octet 13" What is it meant? In my understanding, the flag only start with bit 8 to bit 15. Really make me confuse.


Reference:
http://www.tcpdump.org/tcpdump_man.html

Mr. C. 09-16-2008 02:09 AM

1. google and wikipedia can answer your question. Octet (oct meaing 8) is 8 bits, so 20 octets is 20 x 8 = 160 bits or 20 bytes.

http://en.wikipedia.org/wiki/Octet_(computing)
http://en.wikipedia.org/wiki/Transmi...ntrol_Protocol

2. Octet 13 = 13 x 8 = bit 104. See starting bit 104 in the second URL above.

apit 09-17-2008 07:26 PM

thanks a lot Mr.C
I already google the answer before but most of the articles show that TCP header size is 32 bit..Base from your website link, the size of TCP header actually 160/192+ bit.

Refer to questions 1, the size of the data is 20 bytes. That meant the data also contain source port, destination port, sequence number, acknowledgment number, data offset, reserve,flag,window size, checksum and urgent pointer. Is it true?

Mr. C. 09-17-2008 11:08 PM

There is no conflict. The structure shown in man tcpdump aligns perfectly with the diagram shown in the wikipedia link I gave. You claim that "most of the articles show that TCP header size is 32 bit". I think you are misunderstanding what you are reading. 32 bits (4 bytes) is only enough for the source and destination port (each 16 bits).

apit 09-17-2008 11:37 PM

oh i see...So the total size of TCP header minimum is 160 bit and can go up to 192 bit. Is it wright Mr.C?

Mr. C. 09-18-2008 12:48 AM

You are wright.

ps. right.

apit 09-20-2008 05:41 PM

one more thing, about source & destination port...
The source port is from sender & destination is receiver, right?

Normally the user port range start from 1024 through 65535 and destination port start from 0 to 1023. Let say i surf google.com..The TCP stack will automatically assign random port to me as client starting from 1024 & above and the google server will get fix port which is 80. Is it true?

If the environment is peer to peer such as file sharing (client-client), will the above concept will deploy?

p/s: sory for my poor english writing... ;-)

Mr. C. 09-20-2008 08:47 PM

Source = sender, destination = receiver.

Ports 1 - 1023 are the "well known" ports. These are well-known such that other sending system's know what destination port to use to contact well-known services such as SMTP, FTP, SSH, etc. They are privileged ports in that under *nix systems only root processes may open a connection (for listening). There is no requirement that these ports are used for the standard services - one often sees services such as SSH being moved to another port such as 222. It is also common to see well-known services such as HTTP (port 80) using a port in the ephemeral range, such as 8080.

Ports from 1024 to 49151 are the registered ports, previously used for various services and protocols, but not enforced in any way.

Ports from 49152 to 65535.are the private (ephemeral) ports, in that a client making a connection to a remote service (often to a well-known port).will use a random, available port for its end of a communications socket. The client selects the desired destination port when it creates the socket.

Any port can be used by any service (if supported by the service and there are no OS restrictions for the process) - the port mappings are recommendations, and allow the Internet to operate without requiring port lookup registries..

apit 09-20-2008 09:31 PM

ok..this what i get from netstat -a

Quote:

TCP abu:4178 ti-in-f19.google.com:http ESTABLISHED
TCP abu:4240 tw-in-f189.google.com:http ESTABLISHED
TCP abu:4266 tw-in-f189.google.com:http ESTABLISHED
By refering from your last post :
Quote:

Ports from 49152 to 65535.are the private (ephemeral) ports, in that a client making a connection to a remote service (often to a well-known port).will use a random, available port for its end of a communications socket. The client selects the desired destination port when it creates the socket.
From netstat -a output, i'm using TCP protocol and my local pc using port 4178,4240 and 4266 to access *.google.com port 80. I'm still using port below 49152 instead above 49152..Why?

Mr. C. 09-20-2008 09:45 PM

These assignments were made a long time ago, and I've given you the traditional definitions. The client OS is free to chose the port range it wants to use as the random source port upon making a connection to a remote service. A wider range or ports enhances security.


All times are GMT -5. The time now is 08:20 AM.