[SATLUG] help with tcpdump (grab a beer its a long post)

redpill toddwbucy at grandecom.net
Mon Feb 22 09:39:22 CST 2010

On Sun, 2010-02-21 at 08:31 -0600, Don Davis wrote: 
> This is an interesting thread.
> What are you checking for? RST packets received right after syn packets? 
what I am looking for is half-open connections, which might indicate
that someone is doing a stealth syn scan ('tcp[13]==18 || tcp[13]==16 ||
tcp[13]==2'). I have since removed the reset (tcp[13]=4) and fin
(tcp[13]=1) as they were extraneous. 
> What approach will you take?
Today is the first chance that I have had to come back to this problem
since Channing's suggestion that I use a named pipe. 
> Would keeping a list of received syn packets on the stack and removing 
> them when ack packets are received or tracking all the syn-ack packets 
> you send and waiting for the ack packets work?
As I have it set up I am monitoring all syn, syn/ack, and ack packets.
The general idea is to set up a tripwire at the gateway that would be
set off when a given number of half-open connections exceeds a given
point within a certain time period. 
> Which tcpdump switches did he not need?
I should be able to drop the -C -G and -W switches if I use the named
pipe.  as to my use of those switches,  my understanding of them has
changed since writing the first post.  When used together these dump 256
minutes worth of data in 30 second files: tcpdump -G 30 -C 256 -w
filename -W 20.  This is obviously wrong, something like tcpdump -G 20
-C 3 -w filename -W 20. would have been more appropriate.


More information about the SATLUG mailing list