Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kb1
Collaborator

tcpdump command for showing the payload size?

So i tried searching for results on google and this is what i found-

 

tcpdump -n -s0 -p -i eth0 'ip and tcp and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) >= 4) and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) <= 6)'

The above is used to find payload size between 4 and 6 bytes for any ip on eth0, i did try out the command and it looks like the checkpoint cli is accepting the command, my question is what if i want to enter a specific ip? Where do i type that in the above command and how would it look?

Thanks and regards in advance.

0 Kudos
3 Replies
masher
Employee
Employee

While I'm not certain of the validity of the rest of the filter, you would simply add a 'and host <ip>' to the end or add a 'host <ip> and' at the beginning of it.

tcpdump -n -s0 -p -i eth0 host 1.1.1.1 and 'ip and tcp and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) >= 4) and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) <= 6)'

 or

tcpdump -n -s0 -p -i eth0 'ip and tcp and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) >= 4) and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) <= 6)' and host 1.1.1.1

 

0 Kudos
kb1
Collaborator

i have one more doubt on the partial output as shown below-

 

13:36:34.498560 IP 10.8.196.189.52598 > 10.7.1.204.citriximaclient: P 910749231:910749234(3) ack 2310723696 win 528
13:36:34.498596 IP 10.8.196.189.52598 > 10.7.1.204.citriximaclient: P 0:3(3) ack 1 win 528
13:36:34.508614 IP 10.7.1.204.citriximaclient > 10.8.196.189.52598: P 1:4(3) ack 3 win 512
13:36:34.508659 IP 10.7.1.204.citriximaclient > 10.8.196.189.52598: P 1:4(3) ack 3 win 512
13:36:34.508660 IP 10.7.1.204.citriximaclient > 10.8.196.189.52598: P 1:4(3) ack 3 win 512

how do we know that the payload size is between 2 and 4 bytes? is it the P 1:4[3]? is that what shows the payload size? but what does that mean? the 3 in the brackets is the payload size?

0 Kudos
Maarten_Sjouw
Champion
Champion

add a -w <filename>  before the filter and have it write to a file, move that file over to a pc and open it with wireshark, that will give you the answer on that question.

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events