Saturday, June 22, 2019

Wireshark Three ways hand-shake

A member of the pen test team enters this filter into Wireshark:

((tcp.flags == 0x02) || (tcp.flags == 0x12) ) || 

((tcp.flags == 0x10) && (tcp.ack==1) && (tcp.len==0) )



What is he attempting to view?


A.SYN, SYN/ACK, ACK



B.SYN, FIN, URG, and PSH



C.ACK, ACK, SYN, URG



D.SYN/ACK only


A is correct. Wireshark has the ability to filter based on a decimal numbering system assigned to TCP flags (basically the flag’s binary value assigned to the bit representing it in the header). The assigned flag decimal numbers are FIN = 1, SYN = 2, RST = 4, PSH = 8, ACK = 16, and URG = 32. Adding flag numbers together (for example, SYN + ACK = 18) allows you to simplify a Wireshark filter. For instance, tcp.flags == 0x2 looks for SYN packets, tcp.flags == 0x16 looks for ACK packets, and tcp.flags == 0x18 looks for both (in the case presented in the question, the filter will display all SYN packets, all SYN/ACK packets, and all ACK packets).


B, C, and D are incorrect. These flags do not represent the values in the Wireshark filter.

No comments:

Post a Comment

Remote Hybrid and Office work