Packet structure
TCP
The TCP flags are in tcp[13]
: ACK = 0x10, RST = 0x04, SYN = 0x02, FIN = 0x01.
ICMP
The ICMP type is in icmp[0]
. Useful types are 0 (echo response), 3 (destination unreachable), 8 (echo request) and 11 (time exceeded).
IPv6
Since tcpdump does not fully decode IPv6, we must do it ourselves. The transport layer protocol number is in the ip6[6]
(“next header”) field: ICMP = 0x01, TCP = 0x06, UDP = 0x11. The IPv6 header is 40 bytes, assuming no extension headers, so tcp[13]
maps to ip6[53]
and icmp[0]
maps to ip6[40]
.
Recipes
Rejected traffic
Capture RST and ICMP Destination Unreachable packets, useful when debugging a firewall to see what it rejects:
((tcp[13] & 4 == 4) || (ip6[6] == 6 && ip6[53] & 4 == 4) || (icmp[0] == 3) || (icmp6 && ip6[40] == 1))
Successful TCP handshakes
Capture SYN+ACK packets to monitor successful TCP handshakes:
((tcp[13] & 0x12 == 0x12) || (ip6[6] == 6 && ip6[53] & 0x12 == 0x12))
TCP termination
Capture FIN+ACK packets to monitor TCP session terminations:
((tcp[13] & 0x11 == 0x11) || (ip6[6] == 6 && ip6[53] & 0x11 == 0x11))
Note: it is technically possible for only one end to send FIN (without ACK) and for the other to keep transmitting, or for either end to send FIN and ACK separately. In practice, a TCP connection nearly always ends with FIN, FIN+ACK, ACK.
IPv6 neighbor and router discovery
Capture ICMP6 neighbor solicitation / advertisement packets (135, 136) and ICMP6 router solicitation / advertisement / redirect packets (133, 134, 137):
(icmp6 && (ip6[40] >= 133 && ip6[40] <= 137))
I do not understand at all😅
Would you please write out the entire command for us? Assume Interface mgmt.
I don’t know what you mean by “assume interface management”. These are subexpressions for use in tcpdump filters. They are not very useful on their own; you will generally also want to filter on source or destination address (or subnet) or port numbers. Either way, you won’t have much use for them unless you already know how to use tcpdump.
tcpdump -i eth0 -c10 ‘(icmp6 && (ip6[40] >= 133 && ip6[40] <= 137))’
Your ICMPv6 hack works as long as the packets are not fragmented.
They’re not hacks, they’re… literally how IPv6 works. And fragmentation is usually not an issue when I’m using these.
Perfect stuff !
Works in WireShark as capture filter as wel.
Good way to capture datastreams, without creating large log files.
I was looking for the same, but made mistakes in the definition of the filter.
Thanks !