关于tcpdump命令问题

8866968

tcpdump -i eth0 -p "172.16.23.0/24 and tcp[13:1] = 2"
这条命令是什么意思？谢谢各位

snowtty

Resumen de filtros complejos (sin macro comandos)

         

1. Basados en Campos Correctos



- ICMP Echo Request and Echo Reply

"(icmp[0:1]=0)" or "(icmp[0:1]="



- Paquetes TCP SYN

"(tcp[13:1]=0x02)"



- Paquetes TCP ACK

"(tcp[13:1]=0x10)"



- Paquetes TCP RST

"(tcp[13:1]=0x04)"



- Paquetes TCP SYN or ACK

"(tcp[13:1]=0x02) or (tcp[13:1]=0x10)"



- Paquetes TCP SYN or RST

"(tcp[13:1]=0x02) or (tcp[13:1]=0x04)"



- Paquetes TCP SYN or FIN

"(tcp[13:1]=0x02) or (tcp[13:1]=0x01)"



- Paquetes TCP SYN and ACK

"(tcp[13:1]=0x12)"



- SMTP: EHLO email.server.com

Para estos filtros hay que tener en cuenta que el Windump no puede hacer
búsqueda de cadenas de más de 4 bytes. Para hacer búsqueda de cadenas de más de
4 bytes se deben utilizar los operadores lógicos:

Cadena: EHLO email.server.com

tcp port 25 and "(tcp[20:4]=0x45484c4f)" and "(tcp[24:4]=0x20656d61)" and
"(tcp[28:4]=0x696c2e73)" and "(tcp[32:4]=0x65727665)" and
"(tcp[36:4]=0x722e636f)" and "(tcp[40:1]=0x6d)"



- SMTP: HELO email.server.com

tcp port 25 and "(tcp[20:4]=0x48454c4f)" and "(tcp[24:4]=0x20656d61)" and
"(tcp[28:4]=0x696c2e73)" and "(tcp[32:4]=0x65727665)" and
"(tcp[36:4]=0x722e636f)" and "(tcp[40:1]=0x6d)"



- SMTP: RCPT TO: <cuenta@xxxxxxxxxxxxxxxx>

tcp port 25 and "(tcp[20:4]=0x52435054)" and "(tcp[24:4]=0x20544f3a)" and
"(tcp[28:4]=0x203c6375)" and "(tcp[32:4]=0x65707461)" and
"(tcp[36:4]=0x40656d61)" and "(tcp[40:4]=0x696c2e73)" and
"(tcp[44:4]=0x65727665)" and "(tcp[48:4]=0x722e636f)" and "(tcp[52:2]=0x6d3e)"



- SMTP: MAIL FROM: <cuenta@xxxxxxxxxxxxxxxx>

tcp port 25 and "(tcp[20:4]=0x4d41494c)" and "(tcp[24:4]=0x20465254)" and
"(tcp[28:4]=0x4d3a203c)" and "(tcp[32:4]=0x63756570)" and
"(tcp[36:4]=0x74614065)" and "(tcp[40:4]=0x6d61696c)" and
"(tcp[44:4]=0x2e736572)" and "(tcp[48:4]=0x7665722e)" and
"(tcp[52:4]=0x636f6d3e)"



- POP3: USER <libidonet@xxxxxxxxxxxxx>

tcp port 110 and "(tcp[20:4]=0x55534552)" and "(tcp[24:4]=0x206c6962)" and
"(tcp[28:4]=0x69646f6e)" and "(tcp[32:4]=0x6574406c)" and
"(tcp[36:4]=0x69626964)" and "(tcp[40:4]=0x6f6e6574)" and
"(tcp[44:4]=0x2e636f6d)"



- Búsqueda de claves en POP3: PASS

tcp port 110 and "(tcp[20:4]=0x50415353)"



    2. Basados en Campos Erróneos o Intentos de Hacking



- Paquetes TCP Flag Null

"(tcp[13:1]&0x3f=0)"



- Paquetes TCP FIN

"(tcp[13:1]=0x01)"



- Paquetes TCP PUSH

"(tcp[13:1]=0x0"



- Paquetes TCP UNNUMBERED

"(tcp[13:1]=0x20)"



- Paquetes TCP FLAG RESSERVED

"(tcp[13:1]&0xc0!=0)"



- Paquetes TCP SYN and RST

"(tcp[13:1]=0x06)"



- Paquetes TCP SYN and FIN

"(tcp[13:1]=0x03)"



- Paquetes TCP RST and FIN

"(tcp[13:1]=0x05)"



- Protocolo IP Desconocido

"(ip[9:1]>101)"



- IP Fragmentación

"(ip[6:1]&0x20!=0x00)"

- Fragmentación imposible

"(ip[6:1]&0x20!=0)" and "((ip[2:2]-((ip[0:1]&0x0f)*4))&0x7!=0)"



- IP Options set

"(ip[0:1]&0x05>0x05)"



- Sourced Routed Packets

"((ip[19:1]=0xff) or (ip[19:1]=0x00))" or "(ip[0:1]&0xff>0x05)" and
"((ip[20:1]=0x83) or (ip[20:1]=0x89))"



- Land Attack - Impossible IP Packet

ip[12:4] = ip[16:4]



- IP Options DoS Attack against Raptor Firewall vr. 6.0

"(ip[0:1]&0x05>0x05)" and "(ip[20:2]=0x4400)"



- IP Improper Addresses

net 10 or net 127 or net 169.254 or "(net 172 and (((ip[13]>15) and
(ip[13]<32)) or ((ip[17]>15) and (ip[17]<32)))) or dst net 0 or "(src net 0 and
not src host 0.0.0.0)" or net 1 or net 2 or net 5 or net 23 or net 31 or
"((ip[12]>=65) and (ip[12]<=127))" or "((ip[16]>=65) and (ip[12]<=127))" or net
191.255 or net 128.0 or net 197 or net 201 or net 223 or "(ip[12]>239)" or net
255



- ICMP Host Unreachable

"(icmp[0:1]=3)"



- ICMP Source Quench

"(icmp[0:1]=4)"



- ICMP Redirect

"(icmp[0:1]=5)"



- ICMP Router Discovery Attack

"(icmp[0:1]=9)" and "((icmp[12:4]=0x03e or (icmp[20:4]=0x03e
or(icmp[28:4]=0x03e or .)"



- ICMP Time Exceed for a Datagram

"(icmp[0:1]=11)"



- ICMP Parameter Problem Attack

"(icmp[0:1]=12)" and "(icmp[8:1]>5)"



- ICMP Timestamp Attack

"(icmp[0:1]=13)" and "(icmp[0:1]=0)" and "(icmp[4:2]=0xffff)" and
"(icmp[6:2]=0xffff)"



- ICMP Timestamp Reply

"(icmp[0:1]=14)"



- ICMP Smurf Attack: Broadcast Echo Request

icmp and "(ip[19]=0xff)" or "(icmp[0]="



- ICMP Mask Request and Mask Reply

"(icmp[0:1]=17)" or "(icmp[0:1]=1"



- Loki (según la versión original)

"(icmp[0:1]=" or "(icmp[0:1]=0)" and "((icmp[6:2]=0xf001) or
(icmp[6:2]=0x01f0))"



- Ping of Death Attack

icmp and "((ip[2:2]-((ip[0:1]&0x0f)*4)+((ip[6:2]&0x1fff)*)>65535)"



- BackOrifice 2000: UDP

"(udp[8:4]=0xce63d1d2)" and "(udp[12:4]=0x16e713cf)"



- Traceroute filters based on UDP

                "(udp[2:2]>=33000)" and "(udp[2:2]<=34999)"



- Teardrop attack

udp and "((ip[6:1]&0x20!=0) or (ip[6:2]&0x1fff!=0))"



- Sesquipedalian: Against Linux O.S.

"(ip[6:1]&0x20!=0)" and "(ip[6:2]&0x1fff=0)" and
"((ip[2:2])=((ip[0:1]&0x0f)*4))"



- Diagnostic Port Attack

udp and "(port 7 or port 13 or port 19 or port 37)"



- Fragmented IGMP Attack

igmp and "((ip[6:1]&0x20!=0) or (ip[6:2]&0x1fff!=0))"



- Smurf Attack

"(ip[19]=0xff)" or "(ip[19]=0x00)"



- DNS Server Failure

"(udp[11:1]=0x82)



- Windows Registry Access or Denied File Access

tcp port 139 and "(tcp[20:1]=0x00) and ((tcp[28:2]=0x2d02) and
(tcp[31:2]=0x0400) or (tcp[28:2]=0x2d00))"



- Low Numbered UDP Ports: Diagnostic Prelude Attack

"(udp[0:2]<20)" or "(udp[2:2]<20)"



- UDP Bomb

udp port 53 and "((((ip[2:2]&0xffff)-((ip[0:1]&0x0f)*4))!=(ip[26:2])))"



- UDP Snork

"(udp src port 135 or src port 7 or src port 19)" and "(udp dst port 135)"



- Fragmented UDP

udp and "((ip[6:1]&0x20!=0) or (ip[6:2]&0x1fff!=0))"



- UDP Malformed Packet

"(udp[4:2]<"



- UDP Chargen DoS

udp src port 7 and udp dst port 19



- UDP nmap OS Determination Probe

"(udp[2:2]>=30000)" and "(udp[2:2]<=44780)" and "(udp[4:2]=308)"



- UDP Syslog Vulnerability

"(udp dst port 514)" and "(udp[4:2]=8)"



- UDP NBTStat

udp port 137 and "((udp[55:1]=0x15) or (udp[54:1]=0x21))"



- BO2k UDP Packets

"(udp[10:2]=0)" and "((ip[2:2]-((ip[0]&0x0f)*4)-8-4)=((udp[9]*256)+udp[8]))"



- BO2k TCP Packets

"(tcp[22:2]=0)" and "((ip[2:2]-((ip[0]&0x0f)*4)-20-4)=((tcp[21]*256)+tcp[20]))"



- TCP Services Network Scan

tcp and "(dst port 143 or dst port 80 or dst port 25 or dst port 23 or dst port
1080 or dst port 110)"

or in other case

tcp and "(((dst port 80) and (not host 200.14.241.5)) or ((dst port 25) and
(not host 200.14.241.6)))"



- Comando SMTP: VRFY

tcp port 25 and "(tcp[20:4]=0x56524658)" or "(tcp[20:4]=0x6577706e)"



- Comando SMTP: EXPN

tcp port 25 and "(tcp[20:4]=0x4557504e)" or "(tcp[20:4]=0x76726678)"



- Comando SMTP: NOOP

tcp port 25 and "(tcp[20:4]=0x 4e4f4f50)" or "(tcp[20:4]=0x6e6f6f70)"



- Quake I/II

"(src net 192.168.40)" and "(udp[2:2]>26999)" and "(udp[2:2]<28000)"



- Tribe Flood Networks

tcp port 27665 or udp port 31335 or udp port 27444



- Stacheldraft

tcp port 16660 or tcp port 65000



- Shaft

tcp port 20432 or udp port 20433 or udp port 18753





Captura de consulta ANY a hotmail.com

         udp[21:4]=0x686f746d and udp[25:4]=0x61696c03 and udp[29:2]=0x636f



Captura de consulta DNS Server Fail

udp[11:1]=0x82

   

Captura de consulta ANY a windowsupdate.com

udp[21:4]=0x77696e64 and udp[25:4]=0x6f777375 and udp[29:4]=0x70646174 and
udp[33:4]=0x6503636f

5iwww

: 是什么意思？ 我知道tcp[13]==2 是syn