Re: tcpdump output - what is 0x0020?

From: news8080@xxxxxxxxx
Date: 29 Jan 2007 13:19:53 -0800

that -nn flag (redhat FC6) turns off service resolutions so you'll see
80 instead of http. Thanks for that info. I coocked up a signature but
it doen't work on my commercial IDS (works fine on snort).

On Jan 29, 3:10 pm, "Martin Blume" <mbl...@xxxxxxxxx> wrote:

<news8...@xxxxxxxxx> schrieb

I read the damn man page twice and still have no clue.

tcpdump-nn -i eth1 -X | grep "0000 4009 0700 0000" shows this,
0x0020: 5010 f923 aa07 0000 0000 4009 0700 0000
P..#......@.....
0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
P..#.!....@.....
0x0020: 5010 f923 ee21 0000 0000 4009 0700 0000
P..#.!....@.....
0x0020: 5010 fc00 9eba 0000 0000 4009 0700 0000
P.........@.....
0x0020: 5018 f94d f1dd 0000 0000 4009 0700 0000
P..M......@.....

1. what is 0x0020?
2. it seems that pattern 0000 4009 0700 0000 seems to
corrospond to
"..@.....", what is the math b/h this?I have actually no idea, but I would guess that:

- 0x0020 is the offset into the packet data displayed
- the packet is displayed as you asked for (with -X) in
hex and ascii, so 80(hex)==P(ascii), 40(hex)==@(ascii),
stuff that is non-printable is shown with .

BTW: Mytcpdumpman page hasn't -nn.

HTH
Martin

Prev by Date: Re: How to troubleshoot "Failed to get local socket name :"???
Next by Date: simple multicast routing
Previous by thread: Help needed on XFRM! Thanks in advance.
Next by thread: simple multicast routing
Index(es):
- Date
- Thread

Relevant Pages

Re: Intrusion Detection Evaluation Datasets
... I understand most IDS vendors do not actually use the Snort code ... SourceFire and some vendors who include Snort with hardware appliances ... of interest that one signature based IDS could detect that another ... I say attacks of interest because I am aware of some DoS ...
(Focus-IDS)
Re: Signature Counts between IDSs
... It depends upon how you count a signature. ... Is Snort twice as ... The ISS RealSecure signature catches the statdx.c exploit over both UDP and ... Somewhere on the ISS website is a whitepaper comparing the signature coverage ...
(Focus-IDS)
Re: Snort + (OpenBSD or Linux)
... Snort + ... >> on the same packet. ... > 2.0 design calls for a much more streamlined detection engine, ... of your signature engine for the Prelude hybryde IDS ...
(Focus-IDS)
Re: Snort + (OpenBSD or Linux)
... Snort + ... > Another problem that the Snort algorithm have is that it'll stop matching ... > the packet match another begnin signature (which have to be matched ... > *before* the one for the harmful attack). ...
(Focus-IDS)
Re: signature based IDS/IPS effectiveness
... That depends greatly on the signature. ... For example, using snort it is possible to write a signature that checks first for the protocol, then the application, then the specific function and then the size of the data. ... can get superuser privileges or carry out DOS on database services. ... Mod_security is a good choice for apache, for example, and can stop db attacks before they even get to the web server ...
(Focus-IDS)