Code: |
[x:y] start at offset x from the beginning of packet and read y bytes [x] abbreviation for [x:1] proto[x:y] start at offset x into the proto header and read y bytes p[x:y] & z = 0 p[x:y] has none of the bits selected by z p[x:y] & z != 0 p[x:y] has any of the bits selected by z p[x:y] & z = z p[x:y] has all of the bits selected by z p[x:y] = z p[x:y] has only the bits selected by z |
Code: |
ip[0] & 0x0f - protocol version ip[0] & 0xf0 - protocol options ip[0] & 0xff00 - internet header length ip[1] - TOS ip[2:2] - Total length ip[4:2] - IP identification ip[6] & 0xa - IP flags ip[6:2] & 0x1fff - fragment offset area ip[8] - TTL ip[9] - protocol field ip[10:2] - header checksum ip[12:4] - src IP address ip[16:4] - dst IP address ip[20:3] - options ip[24] - padding |
Code: |
tcp[0:2] - src port tcp[2:2] - dst port tcp[4:4] - seq number tcp[8:4] - ack number tcp[12] & 0x00ff - data offset tcp[12] & 0xff00 - reserved tcp[13] - tcp flags tcp[13] & 0x3f = 0 - no flags set (null packet) tcp[13] & 0x11 = 1 - FIN set and ACK not set tcp[13] & 0x03 = 3 - SYN set and FIN set tcp[13] & 0x05 = 5 - RST set and FIN set tcp[13] & 0x06 = 6 - SYN set and RST set tcp[13] & 0x18 = 8 - PSH set and ACK not set tcp[13] & 0x30 = 0x20 - URG set and ACK not set tcp[13] & 0xc0 != 0 - >= one of the reserved bits of tcp[13] is set tcp[14:2] - window tcp[16:2] - checksum tcp[18:2] - urgent pointer tcp[20:3] - options tcp[23] - padding tcp[24] - data Detail on Flags: Flags Numerically Meaning ===== =========== ======= ---- --S- 0000 0010 = 0x02 normal syn ---A --S- 0001 0010 = 0x12 normal syn-ack ---A ---- 0001 0000 = 0x10 normal ack --UA P--- 0011 1000 = 0x38 psh-urg-ack. interactive stuff like ssh ---A -R-- 0001 0100 = 0x14 rst-ack. it happens. ---- --SF 0000 0011 = 0x03 syn-fin scan --U- P--F 0010 1001 = 0x29 urg-psh-fin. nmap fingerprint packet -Y-- ---- 0100 0000 = 0x40 anything >= 0x40 has a reserved bit set XY-- ---- 1100 0000 = 0xC0 both reserved bits set XYUA PRSF 1111 1111 = 0xFF FULL_XMAS scan |
Code: |
udp[0:2] - src port udp[2:2] - dst port udp[4:2] - length udp[6:2] - checksum udp[8:4] - first 4 octets of data |
Code: |
icmp[0] - type icmp[1] - code icmp[3:2] - checksum Destination Unreachable: icmp[0] = 0x3 (3) icmp[4:4] - unused (per RFC] icmp[8:4] - internet header + 64 bits original data icmp[1] - 0 = net unreachable; - 1 = host unreachable; - 2 = protocol unreachable; - 3 = port unreachable; - 4 = fragmentation needed and DF set; - 5 = source route failed. Time Exceeded: icmp[0] = 0xB (11) icmp[4:4] - unused (per RFC] icmp[8:4] - internet header + 64 bits original data icmp[1] - 0 = TTL exceeded intransit - 1 = fragment reassembly time exceeded Parameter Problem: icmp[0] = 0xC (12) icmp[1] - 0 = pointer indicates error icmp[4] - pointer icmp[5:3] - unused, per RFC icmp[8:4] - internet header + 64 bits original data Source Quench: icmp[0] = 0x4 (4) icmp[1] - 0 = may be received by gateway or host icmp[4:4] - unused, per RFC icmp[8:4] - internet header + 64 bits original data Redirect Message: icmp[0] = 0x5 (5) icmp[1] - 0 = redirect for network - 1 = redirect for host - 2 = redirect for TOS & network - 3 = redirect for TOS & host icmp[4:4] - gateway internet address icmp[8:4] - internet header + 64 bits original data Echo/Echo Reply: icmp[0] = 0x0 (0) (echo reply) icmp[0] = 0x8 (8) (echo request) icmp[4:2] - identifier icmp[6:2] - sequence number icmp[8] - data begins Timestamp/Timestamp Reply: icmp[0] = 0xD (13) (timestamp request) icmp[0] = 0xE (14) (timestamp reply) icmp[1] - 0 icmp[4:2] - identifier icmp[6:2] - sequence number icmp[8:4] - originate timestamp icmp[12:4] - receive timestamp icmp[16:4] - transmit timestamp Information Request/Reply: icmp[0] = 0xF (15) (info request) icmp[0] = 0x10 (16) (info reply) icmp[1] - 0 icmp[4:2] - identifier icmp[6:2] - sequence number Address Mask Request/Reply: icmp[0] = 0x11 (11) (address mask request) icmp[0] = 0x12 (12) (address mask reply) |
Code: |
is some kind of SYN-FIN (tcp[13] & 0x03) = 3 land attack ip[12:4] = ip[16:4] winnuke (tcp[2:2] = 139) && (tcp[13] & 0x20 != 0) && (tcp[19] & 0x01 = 1) things other than ACK/PSH (tcp[13] & 0xe7) != 0 initial fragments (ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff = 0) intervening fragments (ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff != 0) terminal fragments (ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0) has ip options (ip[0] & 0x0f) != 5 ping o' death and its ilk ((ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)) && \ ((65535 < (ip[2:2] + 8*(ip[6:2] & 0x1fff)) |
output generated using printer-friendly topic mod, All times are GMT + 2 Hours