topic Re: tcpdump command for showing the payload size? in General Topics

tcpdump command for showing the payload size?

kb1 — Thu, 03 Sep 2020 18:28:18 GMT

So i tried searching for results on google and this is what i found-

tcpdump -n -s0 -p -i eth0 'ip and tcp and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) >= 4) and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) <= 6)'

The above is used to find payload size between 4 and 6 bytes for any ip on eth0, i did try out the command and it looks like the checkpoint cli is accepting the command, my question is what if i want to enter a specific ip? Where do i type that in the above command and how would it look?

Thanks and regards in advance.

Re: tcpdump command for showing the payload size?

masher — Thu, 03 Sep 2020 18:49:38 GMT

While I'm not certain of the validity of the rest of the filter, you would simply add a 'and host <ip>' to the end or add a 'host <ip> and' at the beginning of it.

tcpdump -n -s0 -p -i eth0 host 1.1.1.1 and 'ip and tcp and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) >= 4) and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) <= 6)'

tcpdump -n -s0 -p -i eth0 'ip and tcp and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) >= 4) and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) <= 6)' and host 1.1.1.1

Re: tcpdump command for showing the payload size?

kb1 — Thu, 03 Sep 2020 19:35:42 GMT

i have one more doubt on the partial output as shown below-

13:36:34.498560 IP 10.8.196.189.52598 > 10.7.1.204.citriximaclient: P 910749231:910749234(3) ack 2310723696 win 528
13:36:34.498596 IP 10.8.196.189.52598 > 10.7.1.204.citriximaclient: P 0:3(3) ack 1 win 528
13:36:34.508614 IP 10.7.1.204.citriximaclient > 10.8.196.189.52598: P 1:4(3) ack 3 win 512
13:36:34.508659 IP 10.7.1.204.citriximaclient > 10.8.196.189.52598: P 1:4(3) ack 3 win 512
13:36:34.508660 IP 10.7.1.204.citriximaclient > 10.8.196.189.52598: P 1:4(3) ack 3 win 512

how do we know that the payload size is between 2 and 4 bytes? is it the P 1:4[3]? is that what shows the payload size? but what does that mean? the 3 in the brackets is the payload size?

Re: tcpdump command for showing the payload size?

Maarten_Sjouw — Thu, 03 Sep 2020 20:48:24 GMT

add a -w <filename> before the filter and have it write to a file, move that file over to a pc and open it with wireshark, that will give you the answer on that question.