A member of the pen test team enters this filter into Wireshark:
((tcp.flags == 0x02) || (tcp.flags == 0x12) ) ||
((tcp.flags == 0x10) && (tcp.ack==1) && (tcp.len==0) )
What is he attempting to view?
A.SYN, SYN/ACK, ACK
B.SYN, FIN, URG, and PSH
C.ACK, ACK, SYN, URG
D.SYN/ACK only
A is correct. Wireshark has the ability to filter based on a decimal numbering system assigned to TCP flags (basically the flag’s binary value assigned to the bit representing it in the header). The assigned flag decimal numbers are FIN = 1, SYN = 2, RST = 4, PSH = 8, ACK = 16, and URG = 32. Adding flag numbers together (for example, SYN + ACK = 18) allows you to simplify a Wireshark filter. For instance, tcp.flags == 0x2 looks for SYN packets, tcp.flags == 0x16 looks for ACK packets, and tcp.flags == 0x18 looks for both (in the case presented in the question, the filter will display all SYN packets, all SYN/ACK packets, and all ACK packets).
B, C, and D are incorrect. These flags do not represent the values in the Wireshark filter.
No comments:
Post a Comment