tcpdump is a powerful network traffic dump utility. Here’s an example of how to use it to watch for a specific packet type on a specific interface.
Print SYN but not SYN ACK packets
$ tcpdump -nn -i eth0 ‘tcp[13] & 0×12=0×02′
Print SYN or SYN ACK packets
$ tcpdump -nn -i eth0 ‘tcp[13] & 0×02=0×02′
Print FIN packets
$ tcpdump -nn -i eth0 ‘tcp[13] & 0×01=0×01′
Here’s a breakdown of how the previous commands work.
-nn Don’t convert host addresses or port numbers to names
-i eth0 Listen on interface
proto [ byte offset: size ]
Available proto (protocol) layers: ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6 or radio.
Size (optional values: one, two, or four) defaults to one, and indicates the number of bytes for comparison.
Example: $ tcpdump -nn -i eth0 ‘tcp[13] & 0×12=0×02′
tcp[13] says use the data (one byte) inside the packet using the tcp protocol layer at byte offset 13 for comparison.”
& 0×12=0×02 says execute a bitwise AND operation against the bits 0001 0010 and match on the bits 0000 0010. It’s important to bitmask at least down to the control bits which reside at 0×3f or 0011 1111, as we are not interested in the presence of ECN bits (which contain ECE and CWR), and they may manipulate our comparison results.
& 0×3f=0×02 is more thorough than 0×12=0×02 (because it checks all of the control bits (0011 1111) rather than just 0001 0010) and can be used in its place. You can use the decimal value for the right side of the comparison (eg. 0×12=2), but I find it helpful to use the Hex value as you’re already using a Hex value for the bitmasking.
It should be noted that you can also use the available TCP flags field values: tcp-fin, tcp-syn, tcp-rest, tcp-push, tcp-ack, tcp-urg.
Print SYN but not SYN ACK packets
$ tcpdump -nn ‘tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack = 0′
But that’s not nearly as fun, right?
References:
TCP Header
Hexadecimal
Mask (computing)
