tcpdump default truncate to 68 bytes snapshot length (snaplen). Use -s 0 to capture all packet length
tcpdump -s 0 -w /tmp/my240.dump -i eth1 port 2000 |
Latest Updates: TCP RSS
-
Arif
-
Arif
In Wireshark
If coloring of TCP analysis is disturbing i.e. black higlights, uncheck the “Validate the TCP checksum if possible” in Edit > Preferences > Protocols > TCP -
Arif
For SCAPv1 diameter TCP port in Wireshark Edit > Preferences > Protocols must be altered from standard 3868 to 1812
-
Arif
Filter out initial SYN (flags 0x02) of TCP connection from specific source and destination:
tcp.flags == 0x02 and ip.src == 10.201.62.78 and ip.dst == 10.201.62.249A series of sync packets will appear as:
1 2 3 4 5 6 7
No. Time Source Destination Protocol Info 1 0.000000 10.201.62.78 10.201.62.249 TCP 53161 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 4 0.001124 10.201.62.78 10.201.62.249 TCP 53162 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 7 0.001556 10.201.62.78 10.201.62.249 TCP 53163 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 16 0.006334 10.201.62.78 10.201.62.249 TCP 53164 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 20 0.009590 10.201.62.78 10.201.62.249 TCP 53165 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0 24 0.011687 10.201.62.78 10.201.62.249 TCP 53166 > 10010 [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0In the above specific case, multiple ports i.e. 53163, 53162, etc. is starting conversation with port 10010 by sending out sync packets.