Analyze TCP Dumps

How TCP works

TCP header

TCP header
  • source port: Port of the host where the request is originated
  • destination port: Port of the host where the request is headed
  • sequence number: This will keep a track of the ordering of messages. Each endpoint(source and destination) will maintain their sequence number. At the start of the TCP connection (message with SYN flag is set) a random number will get generated as the sequence number. It will get incremented by 1 for SYN packets, FIN packets and for each byte of data sent. For more info [2]
  • acknowledgement number: When the ACK flag is set then the value in the acknowledge number field is the next sequence number sender is expecting. One acknowledge number will acknowledge all the bytes sent before it. For more info [2]
  • data offset: Contains the size of the TCP header in 32 bits of segments. Minimum size of the TCP header is 5, 32 bit segments(20 bytes) and maximum is 15 (60 bytes)
  • reserved: Reserved for future use, should be set to zero.
  • Flags
  1. URG: If it needs to be refered to the urgent pointer field
  2. ACK: If this packet contains an acknowledgement value in the acknowledgement field. All the packets after SYN packet will contain have the ACK flag is set.
  3. PSH: Makes this packet a PUSH packet. In normal flow receiver will not acknowledge each packet after receiving. Receiver will keep the data it get received in a buffer for some time until it gives to the application. PUSH packet will tell the receiver to give the data to the application immediately and then it will acknowledge.
  4. RST: Reset the connection. One particular example of sending the RST packet would be in response for a packet received for a closed socket.
  5. SYN: Start the connection, synchronize the sequence numbers. First packet from each end will only have this flag is set.
  6. FIN: One endpoint will FIN flag set packet to other endpoint to express that I’m done sending packets we can terminate the connection.
  • window size: Available size of the receive buffer(window).
  • checksum: Used for error checking. It will calculate a number based on Pseudo-header (source IP address, destination IP address, protocol number, TCP length) and TCP header with data. TCP length is the length of TCP segment including header fields and data. For more info [4]
  • urgent pointer: If the URG flag is set, then this urgent pointer field is an offset from the sequence number indicating the last urgent data byte. For more info [5]

TCP message flow

  1. Connection initialization
TCP 3 way handshake
TCP connection close
  • Keep-alive

TCP Dumps

Generating TCP dumps

  • tcpdump -D : display all available interfaces
  • tcpdump -i eth0 : capture traffic at the interface “eth0”
  • tcpdump -i any : capture traffic at any interface
  • tcpdump -i wlan0 port 80 : capture traffic at the interface “wlan0” on port 80
  • tcpdump -i wlan0 -c 5 : capture 5 packets at the interface “wlan0”
  • tcpdump -i wlan0 tcp : capture only tcp traffic at interface “wlan0”
  • tcpdump -i wlan0 src 192.168.1.1 : capture traffic at interface “wlan0” with source IP 192.168.1.1
  • tcpdump -i wlan0 dst 192.168.1.1 : capture traffic at interface “wlan0” with destination IP 192.168.1.1
  • tcpdump “src port 22” and “dst host 1.2.3.4” : tcpdump command with boolean opertators
  • tcpdump -i wlan0 -s 65535 : capture traffic with snapshot size as 65535 bytes, by default its 262144 bytes. Older versions of tcpdump captures 68 or 96 bytes.
  • tcpdump -i wlan0 -w dump.pcap : capture traffic at the interface “wlan0” and write into a pcap file
  • tcpdump -r dump.pcap : read captured file (we can use wireshark instead and its preferred)
tcpdump -i <interface> -s 65535 -w <some-file>.pcap

Pre-processing and Analyzing on Wireshark

  • Time format
  • Time shift
editcap -t 45000 mytcpdump.pcap
  • Merge multiple TCP dump files
mergecap -w outfile.pcap input-1.pcap input-2.pcap
  • Filtering
  • Follow Stream

References

  1. http://www.tcpipguide.com/index.htm
  2. https://www.youtube.com/watch?v=8XJPZttC4RM&t=771s
  3. https://en.wikipedia.org/wiki/Transmission_Control_Protocol
  4. http://www.tcpipguide.com/free/t_TCPChecksumCalculationandtheTCPPseudoHeader-2.htm
  5. http://www.tcpipguide.com/free/t_TCPPriorityDataTransferUrgentFunction-2.htm
  6. http://www.tcpipguide.com/free/t_TCPConnectionTermination-2.htm
  7. https://blog.stackpath.com/glossary/keep-alive/
  8. http://www.tcpdump.org/manpages/tcpdump.1.html
  9. https://www.tecmint.com/12-tcpdump-commands-a-network-sniffer-tool/
  10. https://www.wireshark.org/docs/wsug_html_chunked/AppToolstcpdump.html
  11. https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/
  12. https://www.wireshark.org/docs/man-pages/editcap.html
  13. https://www.wireshark.org/docs/wsug_html_chunked/ChAdvTimezones.html
  14. http://www.cybersecurityschoolonline.com/2014/08/04/fixing-wireshark-timestamps/
  15. https://ervikrant06.wordpress.com/2015/01/18/how-to-change-timezone-while-analyzing-pcap-file/
  16. https://www.wireshark.org/docs/wsug_html_chunked/ChIOMergeSection.html
  17. https://www.wireshark.org/docs/wsug_html_chunked/AppToolsmergecap.html
  18. https://wiki.wireshark.org/DisplayFilters
  19. https://www.wireshark.org/docs/wsug_html_chunked/ChAdvFollowTCPSection.html

--

--

--

Engineer | Technology Enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Using OpenAI Codex for end-to-end testing. Automating the automated.

TryHackMe Write-up: Intro to Python

The Origin and Key Principles of DevOps

The Origin and Key Principles of DevOps

Hello, World

The new Franco Kernel Manager & Updater

How do AWS developers manage Web apps?

Is Cloudways worth it -Cloudways Web Hosting — Review 2021

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eranda Rajapakshe

Eranda Rajapakshe

Engineer | Technology Enthusiast

More from Medium

Improve application performance with google cloud functions

IBM MQ On Cloud as a REST Service

Blue-Green Deployment Explained

Cloud Migration Benefits for Online Businesses