LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-15-2008, 03:20 AM   #1
apit
LQ Newbie
 
Registered: Jun 2002
Location: Malaysia
Distribution: red hat 7.3
Posts: 23

Rep: Reputation: 15
Tcpdump : Capturing TCP packets with particular flag combinations


I got this infor from tcpdump website.

Quote:
There are 8 bits in the control bits section of the TCP header:

CWR | ECE | URG | ACK | PSH | RST | SYN | FIN

Let's assume that we want to watch packets used in establishing a TCP connection. Recall that TCP uses a 3-way handshake protocol when it initializes a new connection; the connection sequence with regard to the TCP control bits is

1) Caller sends SYN

2) Recipient responds with SYN, ACK

3) Caller sends ACK

Now we're interested in capturing packets that have only the SYN bit set (Step 1). Note that we don't want packets from step 2 (SYN-ACK), just a plain initial SYN. What we need is a correct filter expression for tcpdump.

Recall the structure of a TCP header without options:

http://www.eratraining2u.com/pic/tcp.png


A TCP header usually holds 20 octets of data, unless options are present. The first line of the graph contains octets 0 - 3, the second line shows octets 4 - 7 etc.

Starting to count with 0, the relevant TCP control bits are contained in octet 13:


http://www.eratraining2u.com/pic/tcp2.png

Let's have a closer look at octet no. 13:


http://www.eratraining2u.com/pic/tcp3.png

These are the TCP control bits we are interested in. We have numbered the bits in this octet from 0 to 7, right to left, so the PSH bit is bit number 3, while the URG bit is number 5.
Questions

1- The size of TCP header is 32 bit or equal to 4 byte or 4 octets. From the statement above, it said that "TCP header usually holds 20 octets of data". Actually what is 20 octets meant?

2- From the statement below also said that "Starting to count with 0, the relevant TCP control bits are contained in octet 13" What is it meant? In my understanding, the flag only start with bit 8 to bit 15. Really make me confuse.


Reference:
http://www.tcpdump.org/tcpdump_man.html

Last edited by apit; 09-15-2008 at 03:31 AM. Reason: insert picture
 
Old 09-16-2008, 02:09 AM   #2
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 63
1. google and wikipedia can answer your question. Octet (oct meaing 8) is 8 bits, so 20 octets is 20 x 8 = 160 bits or 20 bytes.

http://en.wikipedia.org/wiki/Octet_(computing)
http://en.wikipedia.org/wiki/Transmi...ntrol_Protocol

2. Octet 13 = 13 x 8 = bit 104. See starting bit 104 in the second URL above.
 
Old 09-17-2008, 07:26 PM   #3
apit
LQ Newbie
 
Registered: Jun 2002
Location: Malaysia
Distribution: red hat 7.3
Posts: 23

Original Poster
Rep: Reputation: 15
thanks a lot Mr.C
I already google the answer before but most of the articles show that TCP header size is 32 bit..Base from your website link, the size of TCP header actually 160/192+ bit.

Refer to questions 1, the size of the data is 20 bytes. That meant the data also contain source port, destination port, sequence number, acknowledgment number, data offset, reserve,flag,window size, checksum and urgent pointer. Is it true?
 
Old 09-17-2008, 11:08 PM   #4
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 63
There is no conflict. The structure shown in man tcpdump aligns perfectly with the diagram shown in the wikipedia link I gave. You claim that "most of the articles show that TCP header size is 32 bit". I think you are misunderstanding what you are reading. 32 bits (4 bytes) is only enough for the source and destination port (each 16 bits).
 
Old 09-17-2008, 11:37 PM   #5
apit
LQ Newbie
 
Registered: Jun 2002
Location: Malaysia
Distribution: red hat 7.3
Posts: 23

Original Poster
Rep: Reputation: 15
oh i see...So the total size of TCP header minimum is 160 bit and can go up to 192 bit. Is it wright Mr.C?
 
Old 09-18-2008, 12:48 AM   #6
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 63
You are wright.

ps. right.
 
Old 09-20-2008, 05:41 PM   #7
apit
LQ Newbie
 
Registered: Jun 2002
Location: Malaysia
Distribution: red hat 7.3
Posts: 23

Original Poster
Rep: Reputation: 15
one more thing, about source & destination port...
The source port is from sender & destination is receiver, right?

Normally the user port range start from 1024 through 65535 and destination port start from 0 to 1023. Let say i surf google.com..The TCP stack will automatically assign random port to me as client starting from 1024 & above and the google server will get fix port which is 80. Is it true?

If the environment is peer to peer such as file sharing (client-client), will the above concept will deploy?

p/s: sory for my poor english writing... ;-)
 
Old 09-20-2008, 08:47 PM   #8
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 63
Source = sender, destination = receiver.

Ports 1 - 1023 are the "well known" ports. These are well-known such that other sending system's know what destination port to use to contact well-known services such as SMTP, FTP, SSH, etc. They are privileged ports in that under *nix systems only root processes may open a connection (for listening). There is no requirement that these ports are used for the standard services - one often sees services such as SSH being moved to another port such as 222. It is also common to see well-known services such as HTTP (port 80) using a port in the ephemeral range, such as 8080.

Ports from 1024 to 49151 are the registered ports, previously used for various services and protocols, but not enforced in any way.

Ports from 49152 to 65535.are the private (ephemeral) ports, in that a client making a connection to a remote service (often to a well-known port).will use a random, available port for its end of a communications socket. The client selects the desired destination port when it creates the socket.

Any port can be used by any service (if supported by the service and there are no OS restrictions for the process) - the port mappings are recommendations, and allow the Internet to operate without requiring port lookup registries..
 
Old 09-20-2008, 09:31 PM   #9
apit
LQ Newbie
 
Registered: Jun 2002
Location: Malaysia
Distribution: red hat 7.3
Posts: 23

Original Poster
Rep: Reputation: 15
ok..this what i get from netstat -a

Quote:
TCP abu:4178 ti-in-f19.google.com:http ESTABLISHED
TCP abu:4240 tw-in-f189.google.com:http ESTABLISHED
TCP abu:4266 tw-in-f189.google.com:http ESTABLISHED
By refering from your last post :
Quote:
Ports from 49152 to 65535.are the private (ephemeral) ports, in that a client making a connection to a remote service (often to a well-known port).will use a random, available port for its end of a communications socket. The client selects the desired destination port when it creates the socket.
From netstat -a output, i'm using TCP protocol and my local pc using port 4178,4240 and 4266 to access *.google.com port 80. I'm still using port below 49152 instead above 49152..Why?
 
Old 09-20-2008, 09:45 PM   #10
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 63
These assignments were made a long time ago, and I've given you the traditional definitions. The client OS is free to chose the port range it wants to use as the random source port upon making a connection to a remote service. A wider range or ports enhances security.
 
  


Reply

Tags
tcpdump


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Capturing, modifying and injecting packets flukebox Linux - Networking 2 07-03-2007 08:07 AM
capturing loopback with tcpdump trek413 Linux - Networking 3 12-06-2006 11:22 AM
Accessing TCP flags in TCP packets on Linux using C !! vishamr2000 Programming 2 10-16-2006 09:46 AM
capturing ethernet packets shrike_912 Programming 5 08-02-2004 01:46 PM
encapsulating TCP packets in UDP packets... yoshi95 Programming 3 06-03-2004 02:53 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration