P. 1
tcpip

tcpip

|Views: 4|Likes:
Published by unsobill

More info:

Published by: unsobill on Oct 02, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

11/28/2013

pdf

text

original

tcpdump [-aenStvx] [-F file

]
[-i int] [-r file] [-s snaplen]
[-w file] ['filter_expression']
-e Display data link header.
-F Filter expression in file.
-i Listen on int interface.
-n Don't resolve IP addresses.
-r Read packets from file.
-s Get snaplen bytes from each packet.
-S Use absolute TCP sequence numbers.
-t Don't print timestamp.
-v Verbose mode.
-w Write packets to file.
-x Display in hex.
-X Display in hex and ASCII.
tcpdump Usage
AH Authentlcatlon Header (PPC 2402)
APP Address Pesolutlon Protocol (PPC 826)
8GP 8order Gateway Protocol (PPC l77l)
CwP Congestlon wlndow Peduced (PPC 248l)
DP Don't Pragment blt (|P)
DHCP Dynamlc Host Conflguratlon Protocol (PPC 2l3l)
DNS Domaln Name System (PPC l035)
LCN Lxpllclt Congestlon Notlflcatlon (PPC 3l68)
L|GPP Lxtended |GPP (Clsco)
LSP Lncapsulatlng Securlty Payload (PPC 2406)
PTP Plle Transfer Protocol (PPC 959)
GPL Generlc Poutlng Lncapsulatlon (PPC 2784)
HTTP Hypertext Transfer Protocol (PPC l945)
|CMP |nternet Control Message Protocol (PPC 792)
|GMP |nternet Group Management Protocol (PPC 2236)
|GPP |nterlor Gateway Poutlng Protocol (Clsco)
|MAP |nternet Message Access Protocol (PPC 2060)
|P |nternet Protocol (PPC 79l)
|SAKMP |nternet Securlty Assoclatlon & Key Management Protocol
(PPC 2408)
L2TP Layer 2 Tunnellng Protocol (PPC 266l)
NNTP Network News Transfer Protocol (PPC 977)
OSPP Open Shortest Path Plrst (PPC l583)
POP3 Post Offlce Protocol v3 (PPC l460)
PPC Pequest for Comments
P|P Poutlng |nformatlon Protocol (PPC 2453)
LDAP Llghtwelght Dlrectory Access Protocol (PPC 225l)
SK|P Slmple Key-Management for |nternet Protocols
SMTP Slmple Mall Transfer Protocol (PPC 82l)
SNMP Slmple Network Management Protocol (PPC ll57)
SSH Secure Shell
SSL Secure Sockets Layer (Netscape)
TCP Transmlsslon Control Protocol (PPC 793)
TPTP Trlvlal Plle Transfer Protocol (PPC l350)
TOS Type of Servlce fleld (|P)
UDP User Datagram Protocol (PPC 768)
Acronyms
All RFCs can be found at http://www.rfc-editor.org

UDP Header
Bit Number
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Source Port Destination Port
Length Checksum
UDP Header Information
Common UDP Well-Known Server Ports
7 echo 138 netbios-dgm
19 chargen 161 snmp
37 time 162 snmp-trap
53 domain 500 isakmp
67 bootps (DHCP) 514 syslog
68 bootpc (DHCP) 520 rip
69 tftp 33434 traceroute
137 netbios-ns
Length
(Number of bytes in entire datagram including header;
minimum value = 8)
Checksum
(Covers pseudo-header and entire UDP datagram)
ARP
Bit Number
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Hardware Address Type Protocol Address Type
H/w Addr Len Prot. Addr Len Operation
Source Hardware Address
Source Hardware Addr (cont.) Source Protocol Address
Source Protocol Addr (cont.) Target Hardware Address
Target Hardware Address (cont.)
Target Protocol Address
ARP Parameters (for Ethernet and IPv4)
Hardware Address Type
1 Ethernet
6 IEEE 802 LAN
Protocol Address Type
2048 IPv4 (0x0800)
Hardware Address Length
6 for Ethernet/IEEE 802
Protocol Address Length
4 for IPv4
Operation
1 Request
2 Reply
TCP/IP and tcpdump
Version July-2010
P O C K E T R E F E R E N C E G U I D E
ISC@sans.org • www.sans.org • http://isc.sans.org
C O U R S E S & G I A C C E R T I F I C AT I O N S
FOR558
Network Forensics
MGT512
SANS Security Leadership Essentials For
Managers with Knowledge Compression™
GSLC
SEC401
SANS Security Essentials Bootcamp Style
GSEC
SEC502
Perimeter Protection In-Depth
GCFW
SEC503
Intrusion Detection In-Depth
GCIA
SEC556
Comprehensive Packet Analysis
SEC560
Network Penetration Testing & Ethical Hacking
GPEN
The SANS Technology Institute (STI)
oers two degree programs:
MS in Information Security Management
and
MS in Information Security Engineering.
If you have a bachelor’s degree and 12 months
of experience in information security, follow
these easy steps to get started:
• Complete an application – downloadable at
www.sans.edu/admissions/procedure.php
• Submit the employer recommendation – form is
provided
• Have your college send sealed transcripts to STI
• Submit an application fee
Learn more at www.sans.edu
Contact us at
info@sans.edu or (720) 941-4932
DNS
Bit Number
1 1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
LENGTH (TCP ONLY)
ID.
QR Opcode AA TC RD RA Z RCODE
QDCOUNT
ANCOUNT
NSCOUNT
ARCOUNT
Question Section
Answer Section
Authority Section
Additional Information Section
DNS Parameters
Query/Response
0 Query
1 Response
Opcode
0 Standard query (QUERY)
1 Inverse query (IQUERY)
2 Server status request (STATUS)
AA
(1 = Authoritative Answer)
TC
(1 = TrunCation)
RD
(1 = Recursion Desired)
RA
(1 = Recursion Available)
Z
(Reserved; set to 0)
Response code
0 No error
1 Format error
2 Server failure
3 Non-existant domain (NXDOMAIN)
4 Query type not implemented
5 Query refused
QDCOUNT
(No. of entries in Question section)
ANCOUNT
(No. of resource records in Answer section)
NSCOUNT
(No. of name server resource records in Authority section)
ARCOUNT
(No. of resource records in Additional Information section.
ICMP
Bit Number
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Type Code Checksum
Other message-specific information...
Type Name/Codes (Code=0 unless otherwise specified)
0 Echo Reply
3 Destination Unreachable
0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed & DF Set
5 Source Route Failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Network Administratively Prohibited
10 Host Administratively Prohibited
11 Network Unreachable for TOS
12 Host Unreachable for TOS
13 Communication Administratively Prohibited
4 Source Quench
5 Redirect
0 Redirect Datagram for the Network
1 Redirect Datagram for the Host
2 Redirect Datagram for the TOS & Network
3 Redirect Datagram for the TOS & Host
8 Echo
9 Router Advertisement
10 Router Selection
11 Time Exceeded
0 Time to Live exceeded in Transit
1 Fragment Reassembly Time Exceeded
12 Parameter Problem
0 Pointer indicates the error
1 Missing a Required Option
2 Bad Length
13 Timestamp
14 Timestamp Reply
15 Information Request
16 Information Reply
17 Address Mask Request
18 Address Mask Reply
30 Traceroute
PING (Echo/Echo Reply)
Bit Number
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Type (8 or 0) Code (0) Checksum
Identifier Sequence Number
Data...
IP Header
Bit Number
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Options (optional)
IP Header Contents
Version
4 IP version 4
Internet Header Length
Number of 32-bit words in IP header; minimum
value = 5 (20 bytes) & maximum value = 15 (60 bytes)
Type of Service (PreDTRCx) --> Differentiated Services
Precedence (000-111) 000
D (1 = minimize delay) 0
T (1 = maximize throughout) 0
R (1 = maximize reliability) 0
C (1 = minimize cost) 1 = ECN capable
x (reserved and set to 0) 1 = congestion experienced
Total Length
Number of bytes in packet; maximum length = 65,535
Flags (xDM)
x (reserved and set to 0)
D (1 = Don't Fragment)
M (1 = More Fragments)
Fragment Offset
Position of this fragment in the original datagram,
in units of 8 bytes
Protocol
1 ICMP 17 UDP 57 SKIP
2 IGMP 47 GRE 88 EIGRP
6 TCP 50 ESP 89 OSPF
9 IGRP 51 AH 115 L2TP
Header Checksum
Covers IP header only
Addressing
NET_ID RFC 1918 PRIVATE ADDRESSES
0-127 Class A 10.0.0.0-10.255.255.255
128-191 Class B 172.16.0.0-172.31.255.255
192-223 Class C 192.168.0.0-192.168.255.255
224-239 Class D (multicast)
240-255 Class E (experimental)
HOST_ID
0 Network value; broadcast (old)
255 Broadcast
Options (0-40 bytes; padded to 4-byte boundary)
0 End of Options list 68 Timestamp
1 No operation (pad) 131 Loose source route
7 Record route 137 Strict source route
TCP Header
Bit Number
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Source Port Destination Port
Sequence Number
Acknowledgment Number
Offset
Reserved Flags Window
Checksum Urgent Pointer
Options (optional)
TCP Header Contents
Common TCP Well-Known Server Ports
7 echo 110 pop3
19 chargen 111 sunrpc
20 ftp-data 119 nntp
21 ftp-control 139 netbios-ssn
22 ssh 143 imap
23 telnet 179 bgp
25 smtp 389 ldap
53 domain 443 https (ssl)
79 finger 445 microsoft-ds
80 http 1080 socks
Offset
Number of 32-bit words in TCP header; minimum value = 5
Reserved
4 bits; set to 0
Flags (CEUAPRSF)
ECN bits (used when ECN employed; else 00)
CWR (1 = sender has cut congestion window in half)
ECN-Echo (1 = receiver cuts congestion window in half)
U (1 = Consult urgent pointer, notify server application
of urgent data)
A (1 = Consult acknowledgement field)
P (1 = Push data)
R (1 = Reset connection)
S (1 = Synchronize sequence numbers)
F (1 = no more data; Finish connection)
Checksum
Covers pseudoheader and entire TCP segment
Urgent Pointer
Offset pointer to urgent data
Options
0 End of Options list 3 Window scale
1 No operation (pad) 4 Selective ACK ok
2 Maximum segment size 8 Timestamp
(Header Length)

.255.0-192. broadcast (old) Broadcast Options (0-40 bytes. else 00) CWR (1 = sender has cut congestion window in half) ECN-Echo (1 = receiver cuts congestion window in half) U (1 = Consult urgent pointer.31. of resource records in Additional Information section.255 C 192. Finish connection) Checksum Covers pseudoheader and entire TCP segment Urgent Pointer Offset pointer to urgent data Options 0 End of Options list 1 No operation (pad) 2 Maximum segment size 3 Window scale 4 Selective ACK ok 8 Timestamp Header Checksum Covers IP header only Addressing NET_ID 0-127 128-191 192-223 224-239 240-255 HOST_ID 0 255 RFC 1918 PRIVATE ADDRESSES A 10.16. of entries in Question section) ANCOUNT (No.535 Flags (xDM) x (reserved and set to 0) D (1 = Don't Fragment) M (1 = More Fragments) Fragment Offset Position of this fragment in the original datagram.0..168.. of name server resource records in Authority section) ARCOUNT (No.255.0. 13 14 15 16 17 18 30 12 4 5 8 9 10 11 Total Length Number of bytes in packet.0-10. set to 0 Flags (CEUAPRSF) ECN bits (used when ECN employed. IP Header Bit Number 1111111111222222222233 01234567890123456789012345678901 Version IHL Type of Service Flags Total Length Fragment Offset Header Checksum Offset Reserved (Header Length) Checksum TCP Header Bit Number 1111111111222222222233 01234567890123456789012345678901 Source Port Destination Port Sequence Number Acknowledgment Number Flags Window Urgent Pointer Options (optional) 8 9 LENGTH (TCP ONLY) Identification Time to Live Protocol Type Name/Codes (Code=0 unless otherwise specified) 0 3 Echo Reply Destination Unreachable 0 Net Unreachable 1 Host Unreachable 2 Protocol Unreachable 3 Port Unreachable 4 Fragmentation Needed & DF Set 5 Source Route Failed 6 Destination Network Unknown 7 Destination Host Unknown 8 Source Host Isolated 9 Network Administratively Prohibited 10 Host Administratively Prohibited 11 Network Unreachable for TOS 12 Host Unreachable for TOS 13 Communication Administratively Prohibited Source Quench Redirect 0 Redirect Datagram for the Network 1 Redirect Datagram for the Host 2 Redirect Datagram for the TOS & Network 3 Redirect Datagram for the TOS & Host Echo Router Advertisement Router Selection Time Exceeded 0 Time to Live exceeded in Transit 1 Fragment Reassembly Time Exceeded Parameter Problem 0 Pointer indicates the error 1 Missing a Required Option 2 Bad Length Timestamp Timestamp Reply Information Request Information Reply Address Mask Request Address Mask Reply Traceroute Source Address Destination Address Options (optional) IP Header Contents Version 4 IP version 4 Internet Header Length Number of 32-bit words in IP header.DNS Bit Number 0 1 2 3 4 5 6 7 ID.0-172.. notify server application of urgent data) A (1 = Consult acknowledgement field) P (1 = Push data) R (1 = Reset connection) S (1 = Synchronize sequence numbers) F (1 = no more data. in units of 8 bytes Protocol 1 ICMP 2 IGMP 6 TCP 9 IGRP 17 47 50 51 UDP GRE ESP AH 57 88 89 115 SKIP EIGRP OSPF L2TP Offset Number of 32-bit words in TCP header.0. QR Opcode AA TC RD RA QDCOUNT ANCOUNT NSCOUNT ARCOUNT Question Section Answer Section Authority Section Additional Information Section Z RCODE ICMP 1 0 1 1 1 2 1 3 1 4 1 5 Bit Number 1111111111222222222233 01234567890123456789012345678901 Type Code Checksum Other message-specific information.255.255 B 172. padded to 4-byte boundary) 0 End of Options list 68 Timestamp 1 No operation (pad) 131 Loose source route 7 Record route 137 Strict source route . minimum value = 5 (20 bytes) & maximum value = 15 (60 bytes) Type of Service (PreDTRCx) --> Precedence (000-111) D (1 = minimize delay) T (1 = maximize throughout) R (1 = maximize reliability) C (1 = minimize cost) x (reserved and set to 0) Differentiated Services 000 0 0 0 1 = ECN capable 1 = congestion experienced TCP Header Contents Common TCP Well-Known Server Ports 7 echo 110 19 chargen 111 20 ftp-data 119 21 ftp-control 139 22 ssh 143 23 telnet 179 25 smtp 389 53 domain 443 79 finger 445 80 http 1080 pop3 sunrpc nntp netbios-ssn imap bgp ldap https (ssl) microsoft-ds socks DNS Parameters Query/Response 0 Query 1 Response Opcode 0 Standard query (QUERY) 1 Inverse query (IQUERY) 2 Server status request (STATUS) AA (1 = Authoritative Answer) TC (1 = TrunCation) RD (1 = Recursion Desired) RA (1 = Recursion Available) Z (Reserved. set to 0) Response code 0 No error 1 Format error 2 Server failure 3 Non-existant domain (NXDOMAIN) 4 Query type not implemented 5 Query refused QDCOUNT (No. of resource records in Answer section) NSCOUNT (No. minimum value = 5 Reserved 4 bits.0.168.255 D (multicast) E (experimental) PING (Echo/Echo Reply) Bit Number 1111111111222222222233 01234567890123456789012345678901 Type (8 or 0) Identifier Data.255. maximum length = 65. Code (0) Checksum Sequence Number Class Class Class Class Class Network value.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->