Tcpdump patterns
From TykWiki
On http://danielmiessler.com/study/tcpdump_recipes/ I found this nice list:
Show me all URG packets: # tcpdump 'tcp[13] & 32 != 0' Show me all ACK packets: # tcpdump 'tcp[13] & 16 != 0' Show me all PSH packets: # tcpdump 'tcp[13] & 8 != 0' Show me all RST packets: # tcpdump 'tcp[13] & 4 != 0' Show me all SYN packets: # tcpdump 'tcp[13] & 2 != 0' Show me all FIN packets: # tcpdump 'tcp[13] & 1 != 0' Show me all SYN-ACK packets: # tcpdump 'tcp[13] = 18'
Matching DNS Traffic
To show incoming nsupdate queries run the following:
tcpdump port 53 and 'udp[10] = 0x28'
To show ServFail replies run the following:
tcpdump port 53 and 'udp[11] & 8 = 0' and 'udp[11] & 4 = 0' and 'udp[11] & 2 = 2' and 'udp[11] & 1 = 0'
That means: In the packet payload, match byte number 11, make sure the seventh bit is 1 and the fifth, sixth and eigth bit are all 0. This translates to binary 0010 which again translates to decimal two, which according to rfc1035 (section 4.1.1, page 26) means ServFail.
Also see this page for much more on bit matching with tcpdump.
