UDP Header tcpdump usage

tcpdump [-aAenStvxX] [-F filterfile] [-i int] [-c n]

0 1 2 3 [-r pcapfile] [-s snaplen] [-w pcapfile] [‘bpf filter’]
-A display payload
Source Port Destination Port -c n display first n packets
0
0 0 3 5 0 2 0 1 -D list interfaces
-e display data link header
Length Checksum -F read filter expression from file
TCP/IP and tcpdump
4
0 0 3 1 a 4 c 2 -i listen on specified interface
-n do not resolve IP addresses / ports
Version November 2015 -r read packets from file
Common UDP Ports -s set snap length in bytes
7 echo 137 netbios-ns 546 DHCPv6c -S display absolute TCP sequence numbers
19 chargen 138 netbios 547 DHCPv6s POCKET REFERENCE GUIDE -t do not print timestamp
-tttt print date and time
53 domain 161 snmp 1900 SSDP
-v verbose (multiple v: more verbose)
67 DHCPc 162 snmp-trap 5353 mDNS Please submit comments and corrections to [email protected]
-w write packets to file
https://www.sans.org/security-resources/tcpip.pdf
68 DHCPs 500 isakmp -x display in hex
69 tftp 514 syslog -xx display link layer in hex
123 ntp 520 Rip COURSES & GIAC CERTIFICATIONS -X display in hex + ASCII
The SANS Technology Institute develops leaders to
strengthen enterprise and global information Acronyms
Length: number of bytes including UDP header. security. STI educates managers and engineers in AH Authentication Header (RFC 2402)
SEC503 ARP Address Resolution Protocol (RFC 826)
Minimum value is 8 information security practices and techniques,
Intrusion Detection In-Depth BGP Border Gateway Protocol (RFC 1771)
Checksum includes pseudo-header (IPs, length, attracts top scholar-practitioners as faculty, and CWR Congestion Window Reduced (RFC 2481)
protocol), UDP header and payload. engages both students and faculty in real-world DF Do not fragment flag (RFC 791)
applied research. SEC 401 DHCP Dynamic Host Configuration Protocol (RFC 2131)
Security Essentials DNS Domain Name System (RFC 1035)
Learn more at https://www.sans.edu
ARP ECN Explicit Congestion Notification (RFC 3168)
ESP Encapsulating Security Payload (RFC 2406)
SEC 502 FTP File Transfer Protocol (RFC 959)
0 1 2 3 Perimeter Protection GRE Generic Route Encapsulation (RFC 2784)
0 HW Addr. Type Prot. Addr. Type HTTP Hypertext Transfer Protocol (RFC 1945)
ICMP Internet Control Message Protocol (RFC 792)
HW Addr Prot. Addr SEC 560 IGMP Internet Group Management Protocol (RFC 2236)
4 Opcode
Len. Len IMAP Internet Message Access Protocol (RFC 2060)
Network Penetration Testing
8 Source Hardware Addr. IP Internet Protocol (RFC 791)
12 Src HW Addr Src Protocol Addr ISAKMP Internet Sec. Assoc. & Key Mngm Proto. (RFC 7296)
16 Src. Proto Addr Tgt HW Addr
SEC 546 L2TP Layer 2 Tunneling Protocol (RFC 2661)
OSPF Open Shortest Path First (RFC 1583)
IPv6 Security Essentials
20 Tgt HW Address (cont.) POP3 Post Office Protocol v3 (RFC 1460)
RFC Request for Comments
24 Target Protocol Address
A collaborative network security community. FOR 572 SMTP Simple Mail Transfer Protocol (RFC 821)
SSH Secure Shell (RFC 4253)
Learn about current issues, correlate your logs Network Forensics SSL Secure Sockets Layer (RFC 6101)
Hardware Type: 1 - Ethernet with others, free API and other resources to TCP Transmission Control Protocol (RFC793)
Protocol Type: 0x0800 - IPv4 enhance your understanding of current threats. MGT512 TLS Transport Layer Security (RFC 5246)
TFTP Trivial File Transfer Protocol (RFC 1350)
Address Length: 4=IPv4, 6=Ethernet https://isc.sans.edu Security Leadership Essentials TOS Type of Service (RFC 2474)
Opcode: 1-request, 2-response UDP User Datagram Protocol (RFC 768)
 DNS ICMP IPv4 Header TCP

0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3

Flags (see Type Code Checksum Ver IHL TOS Total Length 0 Source Port Dest. Port
0 0
0 Query ID 4 5 0 0 0 0 3 a 0 4 0 1 0 0 5 0
below) 0 8 0 0 a 5 3 4
Sequence Number
4 Addtl. information depending on type/code IP Identification Flags Offset 4
4 Query Count Answer Count 4
1 d 4 a 4 0 0 0 a 0 3 b e f 1 1
Type Code Name
8 Authority Rec. # Addtl. Record # 0 0 Echo Reply TTL Protocol Checksum 8
Acknowledgement Number
8
12 Questions… 3 0 Network Unreachable 4 0 1 1 d 1 3 a 0 4 e a 3 5 e 1

Answers… 1 Host Unreachable Source Address 12

HL R Flags Window Size
12 5 0 1 2 3 a 1 6
2 Protocol Unreachable c 0 0 0 0 2 0 2
Authority Records… Checksum Urgent Pointer
3 Port Unreachable
16
Destination Address 16
Additional Records… 4 Fragmentation Required c 0 0 0 0 2 0 1 5 2 3 4 0 0 0 0
5 Source Route Failed
6 Dest. Network Unknown 20 Options (optional) 20
Options (up to 40 bytes)
Flags: 7 Destination Host Unknown
8 Source Host Isolated
9 Net Administratively Prohibited Version: 4 ip[0]&0xf0 Common TCP Ports
Byte Offset 2 Byte Offset 3 10 Host Administratively Prohibited 20 ftp-data 80 http 443 https
Header Length: IP header length in double-words
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 11 Network unreachable for TOS 21 ftp 88 kerberos 445 MS SMB
(4 bytes). Minimum 5 (20 bytes)
Q A T R R A C 12 Host unreachable for TOS
OPCODE Z RCODE 13 Communication Admin. Prohibited
ToS/Differentiated Services Byte ip[1] 22 ssh 110 pop3 465 SMTPS
R A C D A D D
4 0 Source quench 0 1 2 3 4 5 6 7 23 telnet 113 authd 1433 MS SQL
5 0 Network Redirect Diff. Svc. Code Point ECN 25 smtp 119 nntp 3128 Squid
QR: Query (0) or Response (1) 1 Host Redirect Total Length: includes header ip[2:2] 43 whois 143 imap 3306 Mysql
Opcode: 0 – std. Query, 1 – inverse query 2 ToS & Network Redirect Flags ip[6] 53 dns 179 bgp 3389 MS Term.
(IQUERY), 2 – Server Status (STATUS) 3 ToS & Host Redirect
0 1 2 3 4 5 6 7
8 0 Echo Response
Sequence Number tcp[4:4]: increments with each byte
AA: Authoritative Answer X D M O O O O O Ack. Number tcp[8:4]: next expected sequence number
9 0 Router Advertisement
TC: Truncated response X: Reserved, D: Do Not Frag. M: More Fragments Header Length tcp[12]>>4: TCP Header Length / Offset;
11 0 Time to live exceeded in transit
RD Recursion Desired O: Offset bits minimum 5. Number of 32 bit dwords (4 bytes)
1 Fragment Reassembly time exc.
RA Recursion Available 12 0 Parameter Prob. Pointer indicated the error Fragment Offet: position of this ip datagram’s Reserved tcp12]&0x0f: Set to 0
Z Zero (set to 0) 1 Missing a required option payload in original packet (multiply by 8) Flags tcp[13]
AD Authentic Data(DNSSEC) 2 Bad length Protocol ip[9] 7 6 5 4 3 2 1 0
CD Checking Disabled (DNSSEC) 13 0 Timestamp
1 ICMP 17 UDP 50 ESP 8 4 2 1 8 4 2 1
14 0 Timestamp Reply
15 0 Information Request 2 IGMP 41 IPv6 51 AH CWR ECE URG ACK PUSH RES SYN FIN
RCODE:
16 0 Information Reply 6 TCP 47 GRE 115 L2TP Window Size tcp[14:2]: recv. Window size
0 – No error
17 0 Address Mask Request Checksum: IP Header Only Checksum tcp[16:2]: Covers pseudo-header + TCP
1 – Format Error 18 0 Address Mask Reply Header + TCP Payload
2 – Server Failure 30 0 Traceroute Urgent Point tcp[18:2]: Offset pointer to urgent data
Options: up to 40 bytes, 4 byte padded ip[20..]
3 – Non-existent domain (NXDOMAIN) Options tcp[20:..]
4 – Query type not implemented
ICMP Echo Request/Reply (Ping) 0 End of Options List 68 Timestamp
0 1 2 3 1 No Operation 131 Louse source route 0 End of List 3 Window Scale
5 – Query refused
7 Record Route 137 Strict Source Route 1 No Operation 4 Selective Ack OK
0 Type Code Checksum
2 Max. Segment Size 8 Timestamp
4 ICMP ID ICMP Sequence
29 TCP Auth Option 30 Multipath TCP