{"id":136,"date":"2025-06-18T01:35:13","date_gmt":"2025-06-18T01:35:13","guid":{"rendered":"https:\/\/epbrtcybersecurityportfolio.xyz\/?p=136"},"modified":"2025-06-18T01:35:13","modified_gmt":"2025-06-18T01:35:13","slug":"writing-tcpdump-filters","status":"publish","type":"post","link":"https:\/\/epbrtcybersecurityportfolio.xyz\/?p=136","title":{"rendered":"Writing tcpdump filters"},"content":{"rendered":"\n

This lab focused on building familiarity with tcpdump filters<\/strong>, particularly for identifying specific traffic based on TCP flags. The lab also introduced the use of TCP flags<\/strong>, which play a key role in identifying different types of TCP traffic (e.g., SYN, ACK, FIN).<\/p>\n\n\n\n

Exercise 1 \u2013 Identifying TCP Connection Attempts with tcpdump<\/h3>\n\n\n\n

Objective:<\/strong>
Use tcpdump<\/code> to examine records from the file int-server.pcap<\/code> and identify initial TCP connection attempts<\/strong> from clients to servers. The goal is to isolate packets where only the SYN<\/strong> bit is set\u2014this indicates the start of a TCP handshake.<\/p>\n\n\n\n

Steps Taken:<\/strong><\/p>\n\n\n\n

    \n
  1. Command Setup:<\/strong>
    To simplify the output, I used the -n<\/code> (no DNS resolution) and -t<\/code> (no timestamp) flags<\/li>\n\n\n\n
  2. Filtering on TCP Flags:<\/strong><\/li>\n\n\n\n
  3. TCP control flags are located at byte offset 13<\/strong> in the TCP header (tcp[13]<\/code>). For SYN-only packets (i.e., no ACK or other bits set), we need to match exactly the binary value 00000010<\/strong>, which is 0x02<\/strong> in hex.<\/li>\n\n\n\n
  4. tcpdump Filter Expression:<\/strong><\/li>\n\n\n\n
  5. The appropriate filter to match only SYN packets is:<\/li>\n<\/ol>\n\n\n\n
    \"\"<\/figure>\n\n\n\n

    We see attempted connections from the clients to ports 25(SMTP), 445(SMB), 4444(default port used by Metasploit), 999, 80(HTTP) and 53(DNS).<\/p>\n\n\n\n

    Exercise 2 \u2013 Filtering for TCP SYN-ACK Responses<\/h3>\n\n\n\n

    Objective:<\/strong>
    Use tcpdump<\/code> to identify packets from the int-server.pcap<\/code> file where a server responds to a connection request\u2014i.e., where both the SYN<\/strong> and ACK<\/strong> flags are set. This indicates the server is listening and willing to establish a connection.<\/p>\n\n\n\n

    Understanding TCP Flags:<\/strong><\/p>\n\n\n\n

      \n
    • The TCP flags byte<\/strong> is at offset 13<\/strong> (tcp[13]<\/code>)<\/li>\n\n\n\n
    • ACK<\/strong> = 0x10<\/li>\n\n\n\n
    • SYN<\/strong> = 0x02<\/li>\n\n\n\n
    • Therefore, SYN-ACK<\/strong> = 0x12<\/code> (00010010 in binary)<\/li>\n<\/ul>\n\n\n\n

      tcpdump Filter Used:<\/strong><\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      The server ports that responded are 25, 445 and 4444.<\/p>\n\n\n\n

      Exercise 3 \u2013 Filtering for TCP Session Termination (RST or FIN)<\/h3>\n\n\n\n

      Objective:<\/strong>
      Use tcpdump<\/code> to identify packets from the int-server.pcap<\/code> file that contain termination flags<\/strong>, specifically the RST<\/strong> or FIN<\/strong> flags. These flags signal that a TCP session is being closed\u2014either gracefully (FIN) or abruptly (RST).<\/p>\n\n\n\n

      Flag Values:<\/strong><\/p>\n\n\n\n

        \n
      • FIN<\/strong> = 0x01<\/code><\/li>\n\n\n\n
      • RST<\/strong> = 0x04<\/code><\/li>\n<\/ul>\n\n\n\n

        Unlike previous filters that matched exact values, this task required detecting whether either of the two termination flags is present<\/strong>, regardless of other flags that might also be set.<\/p>\n\n\n\n

        Using a Mask Byte:<\/strong><\/p>\n\n\n\n

        The correct approach is to apply a mask byte<\/strong> that preserves only the FIN<\/strong> and RST<\/strong> bits:<\/p>\n\n\n\n

          \n
        • Binary: 00000101<\/code><\/li>\n\n\n\n
        • Hex: 0x05<\/code><\/li>\n<\/ul>\n\n\n\n

          The filter will check if either<\/strong> of these bits is present using a bitwise AND mask.<\/p>\n\n\n\n

          tcpdump Filter Used:<\/strong><\/p>\n\n\n\n

          \"\"<\/figure>\n\n\n\n

          We see 7 records with either or both the FIN and RESET flags set. <\/p>\n\n\n\n

          Exercise 4 \u2013 Filtering for TCP Packets with Both PSH and ACK Flags on Port 143 (IMAP)<\/h3>\n\n\n\n

          Objective:<\/strong>
          Use tcpdump<\/code> to extract the first five packets<\/strong> from int-server.pcap<\/code> that meet all the following criteria:<\/p>\n\n\n\n

            \n
          • Destination port is TCP 143<\/strong> (IMAP)<\/li>\n\n\n\n
          • Both the PUSH<\/strong> and ACK<\/strong> flags are set<\/li>\n\n\n\n
          • Other flags may be present as well<\/li>\n<\/ul>\n\n\n\n

            TCP Flags Reference:<\/strong><\/p>\n\n\n\n

              \n
            • ACK<\/strong> = 0x10<\/code> (bit 4)<\/li>\n\n\n\n
            • PSH<\/strong> = 0x08<\/code> (bit 3)
              Combined, they yield a value of 0x18<\/code> (00011000 in binary)<\/li>\n<\/ul>\n\n\n\n

              To isolate packets where both these bits are set (regardless of other flags), I used a bitmask<\/strong> to mask all other bits:<\/p>\n\n\n\n

                \n
              • Mask: 0x18<\/code><\/li>\n\n\n\n
              • Value: 0x18<\/code><\/li>\n<\/ul>\n\n\n\n

                tcpdump Filter Used:<\/strong><\/p>\n\n\n\n

                \"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"

                This lab focused on building familiarity with tcpdump filters, particularly for identifying specific traffic based on TCP flags. The lab also introduced the use of TCP flags, which play a key role in identifying different types of TCP traffic (e.g., SYN, ACK, FIN). Exercise 1 \u2013 Identifying TCP Connection Attempts with tcpdump Objective:Use tcpdump to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-136","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/136","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=136"}],"version-history":[{"count":5,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/136\/revisions"}],"predecessor-version":[{"id":148,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/136\/revisions\/148"}],"wp:attachment":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}