play with tcp(dump) ~ post 3 (flags)
We shall have a look at flags in this post. A TCP segment would have a TCP header and a payload, let's have a look at the contents of a typical TCP header, and see where flags are placed
Source Port (16b) + Dest. Port (16b) + Seq.no.(32b) + Ack. no.(32b) + Header length(4b) + Flags(12b) + Window size(16b) + Checksum(16b) + Urgent pointer(16b, typically 0s) + Options(variable, if present then as multiples of 32b)
Note: Flags(12b) = Reserved(3b) + 9b
The payload length is variable, payloads are not present in TCP acknowledgements
This time, we shall login to a cumulus switch instead of a server
cumulus@oob-mgmt-server:~$ ssh leaf01
Welcome to Cumulus VX (TM)
Cumulus VX (TM) is a community supported virtual applian
ce designed for
experiencing, testing and prototyping Cumulus Networks'
latest technology.
For any questions or technical support, visit our commun
ity site at:
http://community.cumulusnetworks.com
The registered trademark Linux (R) is used pursuant to a
sublicense from LMI,
the exclusive licensee of Linus Torvalds, owner of the m
ark on a world-wide
basis.
Last login: Thu Jan 31 04:25:38 2019 from 192.168.0.254
cumulus@leaf01:mgmt-vrf:~$
To check the list of interfaces that could be listened by tcpdump
cumulus@leaf01:mgmt-vrf:~$ sudo tcpdump -D | grep Up
1.eth0 [Up, Running]
2.mgmt [Up, Running]
3.swp1 [Up, Running]
4.swp2 [Up, Running]
5.swp44 [Up, Running]
6.swp51 [Up, Running]
7.swp52 [Up, Running]
8.any (Pseudo-device that captures on all interfaces) [U
p, Running]
9.lo [Up, Running, Loopback]
Let's capture some traffic associated with facebook.com(I have opened a second session and issued wget facebook.com there)
cumulus@leaf01:mgmt-vrf:~$ sudo tcpdump host facebook.co
m -vv -w fb.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet),
capture size 262144 bytes
^C27 packets captured
31 packets received by filter
0 packets dropped by kernel
the -vv flag in the command above, refers to verbose(with more detail than a single -v), we can give more vs such as -vvv for much more detailed output
To read the captured information
cumulus@leaf01:mgmt-vrf:~$ sudo tcpdump -r fb.cap
reading from file fb.cap, link-type EN10MB (Ethernet)
07:17:36.004027 IP 192.168.0.11.49506 > edge-star-mini-s
hv-01-ort2.facebook.com.http: Flags [S], seq 2216692295,
win 29200, options [mss 1460,sackOK,TS val 10168606 ecr
0,nop,wscale 8], length 0
07:17:36.018152 IP edge-star-mini-shv-01-ort2.facebook.c
om.http > 192.168.0.11.49506: Flags [S.], seq 661084731,
ack 2216692296, win 27960, options [mss 1340,sackOK,TS
val 1782309311 ecr 10168606,nop,wscale 8], length 0
07:17:36.018285 IP 192.168.0.11.49506 > edge-star-mini-s
hv-01-ort2.facebook.com.http: Flags [.], ack 1, win 115,
options [nop,nop,TS val 10168620 ecr 1782309311], lengt
h 0
07:17:36.029357 IP 192.168.0.11.49506 > edge-star-mini-s
hv-01-ort2.facebook.com.http: Flags [P.], seq 1:111, ack
1, win 115, options [nop,nop,TS val 10168631 ecr 178230
9311], length 110: HTTP: GET / HTTP/1.1
07:17:36.042293 IP edge-star-mini-shv-01-ort2.facebook.c
om.http > 192.168.0.11.49506: Flags [.], ack 111, win 11
0, options [nop,nop,TS val 1782309335 ecr 10168631], len
gth 0
07:17:36.063512 IP edge-star-mini-shv-01-ort2.facebook.c
om.http > 192.168.0.11.49506: Flags [P.], seq 1:280, ack
111, win 110, options [nop,nop,TS val 1782309356 ecr 10
168631], length 279: HTTP: HTTP/1.1 302 Found
07:17:36.063615 IP 192.168.0.11.49506 > edge-star-mini-s
hv-01-ort2.facebook.com.http: Flags [.], ack 280, win 11
9, options [nop,nop,TS val 10168665 ecr 1782309356], len
gth 0
07:17:36.115393 IP 192.168.0.11.41070 > edge-star-mini-s
hv-01-ort2.facebook.com.https: Flags [S], seq 2727098825
, win 29200, options [mss 1460,sackOK,TS val 10168717 ec
r 0,nop,wscale 8], length 0
07:17:36.128956 IP edge-star-mini-shv-01-ort2.facebook.c
om.https > 192.168.0.11.41070: Flags [S.], seq 145541563
0, ack 2727098826, win 27960, options [mss 1340,sackOK,T
S val 3026271862 ecr 10168717,nop,wscale 8], length 0
07:17:36.129173 IP 192.168.0.11.41070 > edge-star-mini-s
hv-01-ort2.facebook.com.https: Flags [.], ack 1, win 115
, options [nop,nop,TS val 10168731 ecr 3026271862], leng
th 0
07:17:36.140935 IP 192.168.0.11.41070 > edge-star-mini-s
hv-01-ort2.facebook.com.https: Flags [P.], seq 1:524, ac
k 1, win 115, options [nop,nop,TS val 10168742 ecr 30262
71862], length 523
07:17:36.154935 IP edge-star-mini-shv-01-ort2.facebook.c
om.https > 192.168.0.11.41070: Flags [.], ack 524, win 1
14, options [nop,nop,TS val 3026271887 ecr 10168742], le
ngth 0
07:17:36.155120 IP edge-star-mini-shv-01-ort2.facebook.c
om.https > 192.168.0.11.41070: Flags [P.], seq 1:3043, a
ck 524, win 114, options [nop,nop,TS val 3026271888 ecr
10168742], length 3042
07:17:36.155368 IP 192.168.0.11.41070 > edge-star-mini-s
hv-01-ort2.facebook.com.https: Flags [.], ack 3043, win
138, options [nop,nop,TS val 10168757 ecr 3026271888], l
ength 0
07:17:36.158338 IP 192.168.0.11.41070 > edge-star-mini-s
hv-01-ort2.facebook.com.https: Flags [P.], seq 524:650,
ack 3043, win 138, options [nop,nop,TS val 10168760 ecr
3026271888], length 126
07:17:36.171835 IP edge-star-mini-shv-01-ort2.facebook.c
om.https > 192.168.0.11.41070: Flags [P.], seq 3043:3301
, ack 650, win 114, options [nop,nop,TS val 3026271905 e
cr 10168760], length 258
07:17:36.175206 IP 192.168.0.11.41070 > edge-star-mini-s
hv-01-ort2.facebook.com.https: Flags [P.], seq 650:789,
ack 3301, win 149, options [nop,nop,TS val 10168777 ecr
3026271905], length 139
07:17:36.208573 IP edge-star-mini-shv-01-ort2.facebook.c
om.https > 192.168.0.11.41070: Flags [P.], seq 3301:3679
, ack 789, win 118, options [nop,nop,TS val 3026271942 e
cr 10168777], length 378
07:17:36.219034 IP 192.168.0.11.49506 > edge-star-mini-s
hv-01-ort2.facebook.com.http: Flags [F.], seq 111, ack 2
80, win 119, options [nop,nop,TS val 10168821 ecr 178230
9356], length 0
07:17:36.232944 IP edge-star-mini-shv-01-ort2.facebook.c
om.http > 192.168.0.11.49506: Flags [F.], seq 280, ack 1
12, win 110, options [nop,nop,TS val 1782309525 ecr 1016
8821], length 0
07:17:36.233044 IP 192.168.0.11.49506 > edge-star-mini-s
hv-01-ort2.facebook.com.http: Flags [.], ack 281, win 11
9, options [nop,nop,TS val 10168835 ecr 1782309525], len
gth 0
07:17:36.247949 IP 192.168.0.11.41070 > edge-star-mini-s
hv-01-ort2.facebook.com.https: Flags [.], ack 3679, win
159, options [nop,nop,TS val 10168850 ecr 3026271942], l
ength 0
07:17:36.573929 IP 192.168.0.11.41070 > edge-star-mini-s
hv-01-ort2.facebook.com.https: Flags [F.], seq 789, ack
3679, win 159, options [nop,nop,TS val 10169175 ecr 3026
271942], length 0
07:17:36.586611 IP edge-star-mini-shv-01-ort2.facebook.c
om.https > 192.168.0.11.41070: Flags [P.], seq 3679:3710
, ack 790, win 118, options [nop,nop,TS val 3026272320 e
cr 10169175], length 31
07:17:36.587001 IP 192.168.0.11.41070 > edge-star-mini-s
hv-01-ort2.facebook.com.https: Flags [R], seq 2727099615
, win 0, length 0
07:17:36.587211 IP edge-star-mini-shv-01-ort2.facebook.c
om.https > 192.168.0.11.41070: Flags [F.], seq 3710, ack
790, win 118, options [nop,nop,TS val 3026272320 ecr 10
169175], length 0
07:17:36.587260 IP 192.168.0.11.41070 > edge-star-mini-s
hv-01-ort2.facebook.com.https: Flags [R], seq 2727099615
, win 0, length 0
Let's explore the flags in sequence
From our capture
192.168.0.11.49506 > edge-star-mini-shv-01-ort2.facebook.com.http: Flags [S]
S represents SYN flag
edge-star-mini-shv-01-ort2.facebook.com.http > 192.168.0.11.49506: Flags [S.]
. represents ACK, so this is a SYN+ACK packet
192.168.0.11.49506 > edge-star-mini-shv-01-ort2.facebook.com.http: Flags [.]
Ack from client to server, 3-way HandShake is completed here for http
192.168.0.11.49506 > edge-star-mini-shv-01-ort2.facebook.com.http: Flags [P.]
Push + Ack
edge-star-mini-shv-01-ort2.facebook.com.http > 192.168.0.11.49506: Flags [.]
edge-star-mini-shv-01-ort2.facebook.com.http > 192.168.0.11.49506: Flags [P.]
192.168.0.11.49506 > edge-star-mini-shv-01-ort2.facebook.com.http: Flags [.]
192.168.0.11.41070 > edge-star-mini-shv-01-ort2.facebook.com.https: Flags [S]
3-way handshake starts for HTTPS
edge-star-mini-shv-01-ort2.facebook.com.https > 192.168.0.11.41070: Flags [S.]
192.168.0.11.41070 > edge-star-mini-shv-01-ort2.facebook.com.https: Flags [.]
3-way handshake ends for HTTPS
192.168.0.11.41070 > edge-star-mini-shv-01-ort2.facebook.com.https: Flags [P.]
edge-star-mini-shv-01-ort2.facebook.com.https > 192.168.0.11.41070: Flags [.]
edge-star-mini-shv-01-ort2.facebook.com.https > 192.168.0.11.41070: Flags [P.]
192.168.0.11.41070 > edge-star-mini-shv-01-ort2.facebook.com.https: Flags [.]
192.168.0.11.41070 > edge-star-mini-shv-01-ort2.facebook.com.https: Flags [P.]
edge-star-mini-shv-01-ort2.facebook.com.https > 192.168.0.11.41070: Flags [P.]
192.168.0.11.41070 > edge-star-mini-shv-01-ort2.facebook.com.https: Flags [P.]
edge-star-mini-shv-01-ort2.facebook.com.https > 192.168.0.11.41070: Flags [P.]
192.168.0.11.49506 > edge-star-mini-shv-01-ort2.facebook.com.http: Flags [F.]
Fin + Ack, client to server, http
edge-star-mini-shv-01-ort2.facebook.com.http > 192.168.0.11.49506: Flags [F.]
192.168.0.11.49506 > edge-star-mini-shv-01-ort2.facebook.com.http: Flags [.]
192.168.0.11.41070 > edge-star-mini-shv-01-ort2.facebook.com.https: Flags [.]
192.168.0.11.41070 > edge-star-mini-shv-01-ort2.facebook.com.https: Flags [F.]
Fin + Ack, client to server, https
edge-star-mini-shv-01-ort2.facebook.com.https > 192.168.0.11.41070: Flags [P.]
192.168.0.11.41070 > edge-star-mini-shv-01-ort2.facebook.com.https: Flags [R]
Reset, from client to server, https
edge-star-mini-shv-01-ort2.facebook.com.https > 192.168.0.11.41070: Flags [F.]
192.168.0.11.41070 > edge-star-mini-shv-01-ort2.facebook.com.https: Flags [R]
Let's see the Hex values for these flags
The contents of the Flags field is as follows:
Flags (12b) = Reserved(3b) + Nonce + CWR + ECN-Echo + Urgent + Ack(.) + (P)ush + (R)eset + (S)yn + (F)in.,
!Mnemonic to remember the last 6 bits: 'Unskilled Attackers Pester Real Security Folks'
So [S] = 000 0 - 0 0 0 0 - 0 0 1 0 = 0x 0 0 2 = 2 (in decimal)
[S.] = 000 0 - 0 0 0 1 - 0 0 1 0 = 0x 0 1 2 = 18
[.] = 000 0 - 0 0 0 1 - 0 0 0 0 = 0x 0 1 0 = 16
[P.] = 000 0 + 0 0 0 1 + 1 0 0 0 = 0x 0 1 8 = 24
[F.] = 000 0 + 0 0 0 1 + 0 0 0 1 = 0x 0 1 1 = 17
[R] = 000 0 + 0 0 0 0 + 0 1 0 0 = 0x 0 0 4 = 4
Note: 0x denotes Hexadecimal notation
--end-of-post--