The 20-byte TCP header has seven inividual bit flags - URG, ACK, PSH, SYN, FIN, RST, Placeholder
While using tcpdump, these flags are represented as urg, ack, p, s, f, r, .
URG - urg - Indicates that the urgent pointer portion of the header should be examined. Urgent data should take precedence over other data. For example, pressing Ctrl-C to terminate a download.
ACK - ack -Indicates that the Acknowledgement number should be examined. Ack packet is used the acknowledge the receipt of data. This flag may appear in conjuction with other flags.
PSH - P -Indicates that the receiver should hand this data upto the next layer as soon as possible. Signals the immediate push of data from sending host to the receiving host.
SYN - S - Initiates a connection. SYN packet, a session establishment request. First part of any TCP connection.
FIN - F - Indicates that the sender(either client or server) is done sending data. It indicates the intention to terminate the existing connection to the other end.
RST - R - Indicates that the connection should be reset. It indicates the sender's intention to immediately abort the existing connection.
Placeholder - . - If the connection does not have a syn, finish, rest or push flag set, this placeholder flag will be found after the destination port. Note that it also appears in conjunction with the ack flag.
A sample tcpdump report, where we are accessing the host 74.125.236.183.80 on it's port 80 using curl command
For the following command
# curl -IL 74.125.236.183
the tcpdump report generated using the command
# tcpdump -w test.pcap -i bond0 host 74.125.236.183
# tcpdump -nnr test.pcap
13:20:36.756286 IP 74.125.236.183.80 > 192.168.1.33.41002: Flags [S.], seq 3589360082, ack 3247485553, win 62392, options [mss 1430,sackOK,TS val 977680945 ecr 1544059,nop,wscale 6], length 0
13:20:36.756326 IP 192.168.1.33.41002 > 74.125.236.183.80: Flags [.], ack 1, win 115, options [nop,nop,TS val 1544091 ecr 977680945], length 0
13:20:36.756402 IP 192.168.1.33.41002 > 74.125.236.183.80: Flags [P.], seq 1:171, ack 1, win 115, options [nop,nop,TS val 1544091 ecr 977680945], length 170
13:20:36.788779 IP 74.125.236.183.80 > 192.168.1.33.41002: Flags [.], ack 171, win 992, options [nop,nop,TS val 977680978 ecr 1544091], length 0
13:20:36.844585 IP 74.125.236.183.80 > 192.168.1.33.41002: Flags [P.], seq 1:598, ack 171, win 992, options [nop,nop,TS val 977681032 ecr 1544091], length 597
13:20:36.844603 IP 192.168.1.33.41002 > 74.125.236.183.80: Flags [.], ack 598, win 124, options [nop,nop,TS val 1544179 ecr 977681032], length 0
13:20:36.844773 IP 192.168.1.33.41002 > 74.125.236.183.80: Flags [F.], seq 171, ack 598, win 124, options [nop,nop,TS val 1544179 ecr 977681032], length 0
13:20:36.875132 IP 74.125.236.183.80 > 192.168.1.33.41002: Flags [F.], seq 598, ack 172, win 992, options [nop,nop,TS val 977681064 ecr 1544179], length 0
13:20:36.875166 IP 192.168.1.33.41002 > 74.125.236.183.80: Flags [.], ack 599, win 124, options [nop,nop,TS val 1544209 ecr 977681064], length 0
No comments:
Post a Comment