tcpdump -XXnve -i eth1 'arp [7]==2' -s0
#read data with header in ASCI and HEX - use option -XX, which 8-th byte in ARP header will be 2(DEC) - count from 0 to 7, means answer on ARP broadcasttcpdump -XXnve -i eth1 'tcp [13]==18' -s 0
#read data as above, which 14th byte in TCP header:18(DEC) = 12 (HEX) = 00010010(BIN) means set flags SYN and ACK, C|E|U|A|P|R|S|F where letters mean flags in bits code 0 0 0 1 0 1 1 0 means set flag ACK,RST,SYN - 22(DEC) and 16(HEX)
describe TCPDUMP output
ARP answer on broadcast:
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 12:55:53.464953 00:c0:a8:fe:6f:f2 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.1.212 tell 192.168.1.24 0x0000: ffff ffff ffff 00c0 a8fe 6ff2 0806 0001 ..........o..... 0x0010: 0800 0604 0001 00c0 a8fe 6ff2 c0a8 0118 ..........o..... 0x0020: 0000 0000 0000 c0a8 01d4 0000 0000 0000 ................ 0x0030: 0000 0000 0000 0000 0000 0000 ............Description in order:
1w/8k/1-4 means 1 row/8 column/position form 1 to 4:
1w/1k/1-...1w/3k/-4 destination MAC 1w/4k/1-...1w/6k/-4 source MAC 1w/7k/1-4 typ ramki: 0806 - ARP; 0800 - IP; 8035 - reverse ARP; 8137 - IPX ------------------------START IP protocol---------------------------------------------- 1w/8k/1-4 device address type: 0001 - Ethernet 2w/1k/1-4 protocol address type: 0800 - IP 2w/2k/1-2 length device address in Btes 2e/2k/3-4 length proctocol address in Bytes 2w/3k/1-4 operation: 0001 - question; 0002 - answer 2w/4k/1-...2w/6k/-4 sender MAC 2w/7k/1-...2w/8k/-4 sender IP 3w/1k/1-...3w/3k/-4 recipient MAC 3w/4k/1-...3w/5k/-4 recipient IP
send 1 tcp packet with flags SYN,ACK,RST and data "ABC" which means 3 Bytes from file "wy" by hping3:
hping3 192.168.1.253 -S -A -R -E wy -d 3 -c 1
we receive:ROUTER:/# tcpdump -XXnve -i eth1 'tcp [13]==22' -s0 and host 192.168.1.4
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
13:30:10.508842 00:0c:76:e7:f1:d3 > 00:30:4f:23:b8:4e, ethertype IPv4 (0x0800), length 60: IP (tos 0x0, ttl 64,
id 57585, offset 0, flags [none], length: 43) 192.168.1.4.2029 > 192.168.1.253.0: SR [tcp sum ok] 1842019365:1842019368(3)
ack 2138831316 win 512 [RST ABC]
0x0000: 0030 4f23 b84e 000c 76e7 f1d3 0800 4500 .0O#.N..v.....E.
0x0010: 002b e0f1 0000 4006 158a c0a8 0104 c0a8 .+....@.........
0x0020: 01fd 07ed 0000 6dca fc25 7f7b f9d4 5016 ......m..%.{..P.
0x0030: 0200 ba09 0000 4142 4300 0000 ......ABC...
----------------------------------------------------------------------------------------
1w/1k/1-...1w/3k/-4 destination MAC
1w/4k/1-...1w/6k/-4 source MAC
1w/7k/1-4 typ ramki: 0806 - ARP; 0800 - IP; 8035 - reverse ARP; 8137 - IPX
------------------------START IP protocol----------------------------------------------
1w/8k/1 wersja protokoĊu
1w/8k/2 header length in Bytes
1w/8k/3-4 TOS type
2w/1k/1-4 whole length hader plus data
2w/2k/1-4 datagram ID
2w/3k/1 fragmentation sign
2w/3k/2-4 shift
2w/4k/1-2 TTL field
2w/4k/3-4 protocol type: 06 - TCP; 17 - UDP; 01 - ICMP;
2w/5k/1-4 control sum header
2w/6k/1-...2w/7k/-4 sender IP
2w/8k/1-...3w/1k/-4 recipient IP
------------------------START TCP protocol---------------------------------------------
3w/2k/1-4 source port
3w/3k/1-4 destination port
3w/4k/1-...3w/5k/-4 output data order nr
3w/6k/1-...3w/7k/-4 input data order nr
3w/8k/1-2 header length
3w/8k/3-4 cody bits: 02 - SYN; 12 - SYN,ACK; 16 - SYN,ACK,RST
4w/1k/1-4 input data window
4w/2k/1-4 header control sum
4w/3k/1-4 pointer data
------------------------START data----------------------------------------------------
4w/4k/1- dane 41,42,43 in ASCI means ABC