This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kb1
Collaborator
‎2020-09-03 11:28 AM

tcpdump command for showing the payload size?

So i tried searching for results on google and this is what i found-

 

tcpdump -n -s0 -p -i eth0 'ip and tcp and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) >= 4) and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) <= 6)'

The above is used to find payload size between 4 and 6 bytes for any ip on eth0, i did try out the command and it looks like the checkpoint cli is accepting the command, my question is what if i want to enter a specific ip? Where do i type that in the above command and how would it look?

Thanks and regards in advance.

0 Kudos
3 Replies
masher
Employee
Employee
‎2020-09-03 11:49 AM

While I'm not certain of the validity of the rest of the filter, you would simply add a 'and host <ip>' to the end or add a 'host <ip> and' at the beginning of it.

tcpdump -n -s0 -p -i eth0 host 1.1.1.1 and 'ip and tcp and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) >= 4) and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) <= 6)'

 or 

tcpdump -n -s0 -p -i eth0 'ip and tcp and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) >= 4) and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) <= 6)' and host 1.1.1.1

 

0 Kudos
kb1
Collaborator
‎2020-09-03 12:35 PM
In response to masher

i have one more doubt on the partial output as shown below-

 

13:36:34.498560 IP 10.8.196.189.52598 > 10.7.1.204.citriximaclient: P 910749231:910749234(3) ack 2310723696 win 528
13:36:34.498596 IP 10.8.196.189.52598 > 10.7.1.204.citriximaclient: P 0:3(3) ack 1 win 528
13:36:34.508614 IP 10.7.1.204.citriximaclient > 10.8.196.189.52598: P 1:4(3) ack 3 win 512
13:36:34.508659 IP 10.7.1.204.citriximaclient > 10.8.196.189.52598: P 1:4(3) ack 3 win 512
13:36:34.508660 IP 10.7.1.204.citriximaclient > 10.8.196.189.52598: P 1:4(3) ack 3 win 512

how do we know that the payload size is between 2 and 4 bytes? is it the P 1:4[3]? is that what shows the payload size? but what does that mean? the 3 in the brackets is the payload size?

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-09-03 01:48 PM
In response to kb1

add a -w <filename>  before the filter and have it write to a file, move that file over to a pc and open it with wireshark, that will give you the answer on that question.

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events