Jun 12

How to load balance with nginx

By jason Nginx Server 3 Comments »

Nignx is a very great web server and load banlancer. In my “Nginx Server” category have more about nginx.

If you want to configure load balancer with nginx,you can difine upstream to finish.

deployment overview

real server1
www.domain1.com
192.168.1.11

real server2
www.domain1.com
192.168.1.12

load balancer
balancer.domain1.com
192.168.1.13

master config part:

worker_processes  20;

#error_log  logs/error.log  info;

#pid        logs/nginx.pid;
worker_rlimit_nofile 51200;

events {
      use epoll;
      worker_connections 51200;
}

http {
log_format  www  ‘$remote_addr – $remote_user [$time_local] $request ‘
                        ‘"$status" $body_bytes_sent "$http_referer" ‘
                        ‘"$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"’;

access_log  logs/access.log  main;
client_header_timeout   10m;
client_body_timeout     10m;
send_timeout            10m;
client_max_body_size     4m;
client_body_buffer_size    256k;

connection_pool_size            256;
client_header_buffer_size       1k;
large_client_header_buffers     4 2k;
request_pool_size               4k;

output_buffers  1 32k;
postpone_output 1460;

tcp_nopush     on;
tcp_nodelay    on;

gzip  on;
gzip_comp_level  3;
gzip_min_length  1100;
gzip_buffers  4 8k;
gzip_proxied any;
gzip_http_version  1.1;
gzip_types  text/plain text/html text/css application/x-javascript text/xml application/xml application/xml+rss text/javascri
pt;

include       mime.types;
default_type  application/octet-stream;
keepalive_timeout 120;

load banlancer config part:

upstream  www.domain1.com  {
        server   192.168.10.11:80;
        server   192.168.10.12:80;
        server   192.168.10.13:80;
}

server
{
        listen  80;
        server_name  www.domain1.com;

        location / {
                 proxy_pass        http://www.domain1.com;
                 proxy_set_header   Host             $host;
                 proxy_set_header   X-Real-IP        $remote_addr;
                 proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        }
}

Tagged with:
Jun 09

how to securing php

By jason Application Security No Comments »

PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.Yes PHP is a programming language that works on Linux and windows server. And this language helps in maintaining user accounts and server. I will tell you some feature to lock down PHP and securing it. Firstly I will tell you about how to edit php.ini as this is the main arrangement folder for php. You can do it by following way:

Put On Safe Mode:
You can safe guard your security and functions which you are using through this easy mode. You can work out over the security problems happening in shared server with the help of PHP safe mode. Although it not good to resolve the security problem at php level but as features of web server and OS stage are not very trustworthy many webmasters prefer and use safe mode. I will too suggest you to use safe mode if you are working on shared environment. It will help you to keep your data safe and untouchable.

Exampel:
safe_mode = On

Discontinue Unsafe PHP functions:
Through php your server can mess up with other server an there is danger that anyone can hack your account and can get your root. Many users prefer apprehensive php scripts as to get entry to your server and to provide dangerous commands and capture your server and put there control.

Example:
disable_functions = phpinfo,eval,system,shell_exec,passthru,popen

Put Off Registers Global:
Through registers global anybody can introduce any variable like in the form of HTML scripts to your data as it is very easy under php environment. Anybody can write insecure code as php does not involve variable initialization. Internal variables get mixed with the data send by any other user. Many peoples did not know that from were this unwanted data is coming and getting mixed with their variable.

Example:
register_globals = Off

Work on PHPsuexec:
The great problem with PHP is that on Cpanel servers it works as nobody and if any user sets a script to 777 admittance so it means nobody user has right to use that file and if any other user sharing the same server wrote some script to search 777 files can also get entry over the file and he can very easily introduce some unwanted material to your data and can remain unknown. And safe mode does not work over sharing other user’s files and here PHPsuexec helps to maintain privacy and stops one user to get through other users file. And with PHPsuexec you can very easily trace the other person who is doing spamming over your mails.
Through the above explained function you can easily protect PHP on shared server. There is also one more method, through which you can protect files from other user so that he should be unable to read or to spam it, that is open base protection.

Enable open_basedir
When the open_basedir parameter is enabled, PHP will be able to access only those files, which are placed in the specified directories (and subdirectories).

Example:
open_basedir = /var/www/html

Close display error
If the display_errors parameter is turned off, PHP errors and warnings are not being displayed. Because such warnings often reveal precious information like path names, SQL queries etc., it is strongly recommended to turn this parameter off on production servers.

Exampel:
display_errors = Off

Open error log
When log_errors is turned on, all the warnings and errors are logged into the file that is specified by the error_log parameter. If this file is not accessible, information about warnings and errors are logged by the Apache server.

Example:
log_errors = On

Error log filename
This parameter specifies the name of the file, which will be used to store information about warnings and errors (attention: this file must be writeable by the user or group apache)

Example:
error_log = filename

Tagged with:
May 27

How to use tcpdump

By jason Security Tools 1 Comment »

Tcpdump prints  out  the  headers of packets on a network interface that match the boolean expression.
It can also be  run  with the -w flag,  which causes it to save the packet data to a file for later analysis,
and/or with  the -b  flag, which causes it to read from a saved packet file rather than to read packets from
a network interface. In all cases, only packets that match expression will be pro­cessed by tcpdump.

Tcpdump will, if not run with the -c flag, continue capturing packets until it is interrupted by a SIGINT signal
(generated, for example, by typing your interrupt character, typically control-C) or a SIGTERM signal (typically
generated with the kill(1) command); if run  with the -c flag, it will capture packets until it is interrupted by
a SIGINT or SIGTERM signal or the specified number of packets have been processed.

SYNOPSIS
       tcpdump [ -adeflnNOpqRStuvxX ] [ -c count ]
               [ -C file_size ] [ -F file ]
               [ -i interface ] [ -m module ] [ -r file ]
               [ -s snaplen ] [ -T type ] [ -w file ]
               [ -E algo:secret ] [ expression ]

Basic syntax :

Filtering hosts :
- Match any traffic involving 192.168.1.1 as destination or source
# tcpdump -i eth1 host 192.168.1.1

- As soure only
# tcpdump -i eth1 src host 192.168.1.1

- As destination only
# tcpdump -i eth1 dst host 192.168.1.1

Filtering ports :
- Match any traffic involving port 25 as source or destination
# tcpdump -i eth1 port 25

- Source
# tcpdump -i eth1 src port 25

- Destination
# tcpdump -i eth1 dst port 25

Network filtering :
# tcpdump -i eth1 net 192.168
# tcpdump -i eth1 src net 192.168
# tcpdump -i eth1 dst net 192.168

Protocol filtering :
# tcpdump -i eth1 arp
# tcpdump -i eth1 ip
# tcpdump -i eth1 tcp
# tcpdump -i eth1 udp
# tcpdump -i eth1 icmp

Let’s combine expressions :
—————————

Negation    : ! or “not” (without the quotes)
Concatanate : && or “and”
Alternate   : || or “or”

- This rule will match any TCP traffic on port 80 (web) with 192.168.1.254 or 192.168.1.200 as destination host
# tcpdump -i eth1 ‘((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.200)))’

- Will match any ICMP traffic involving the destination with physical/MAC address 00:01:02:03:04:05
# tcpdump -i eth1 ‘((icmp) and ((ether dst host 00:01:02:03:04:05)))’

- Will match any traffic for the destination network 192.168 except destination host 192.168.1.200
# tcpdump -i eth1 ‘((tcp) and ((dst net 192.168) and (not dst host 192.168.1.200)))’

Advanced header filtering :
===========================

Before we continue, we need to know how to filter out info from headers

proto[x:y]   : will start filtering from byte x for y bytes. ip[2:2] would filter bytes 3 and 4 (first byte begins by 0)
proto[x:y] & z = 0  : will match bits set to 0 when applying mask z to proto[x:y]
proto[x:y] & z !=0  : some bits are set when applying mask z to proto[x:y]
proto[x:y] & z = z  : every bits are set to z when applying mask z to proto[x:y]
proto[x:y] = z   : p[x:y] has exactly the bits set to z

Operators : >, <, >=, <=, =, !=

This may not be clear in the first place but you’ll find examples below involving these.

Of course, it is important to know what the protocol headers look like before diving into more advanced filters.

IP header
———

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |Version|  IHL  |Type of Service|          Total Length         |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |         Identification        |Flags|      Fragment Offset    |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |  Time to Live |    Protocol   |         Header Checksum       |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                       Source Address                          |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                    Destination Address                        |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                    Options                    |    Padding    | <– optional
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                            DATA …                           |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I’ll consider we are only working with the IPv4 protocol suite for these examples.

In an ideal world, every field would fit inside one byte. This is not the case, of course.

Are IP options set ?
——————–

Let’s say we want to know if the IP header has options set. We can’t just try to filter out the 21st byte
because if no options are set, data start at the 21st byte. We know a “normal” header is usually 20 bytes
(160 bits) long. With options set, the header is longer than that. The IP header has the header
length field which we will filter here to know if the header is longer than 20 bytes.

 +-+-+-+-+-+-+-+-+
 |Version|  IHL  |
 +-+-+-+-+-+-+-+-+

Usually the first byte has a value of 01000101 in binary.

Anyhow, we need to divide the first byte in half…

0100 = 4 in decimal. This is the IP version.
0101 = 5 in decimal. This is the number of blocks of 32 bits in the headers. 5 x 32 bits = 160 bits or 20 bytes.

The second half of the first byte would be bigger than 5 if the header had IP options set.

We have two ways of dealing with that kind of filters.

1. Either try to match a value bigger than 01000101. This would trigger matches for IPv4 traffic with IP options set,
   but ALSO any IPv6 traffic !

In decimal 01000101 equals 69.

Let’s recap how to calculate in decimal.

0 : 0  \
1 : 2^6 = 64  \ First field (IP version)
0 : 0   /
0 : 0  /
-
0 : 0  \
1 : 2^2 = 4  \ Second field (Header length)
0 : 0   /
1 : 2^0 = 1 /

64 + 4 + 1 = 69

The first field in the IP header would usually have a decimal value of 69.
If we had IP options set, we would probably have 01000110 (IPv4 = 4 + header = 6), which in decimal equals 70.

This rule should do the job :
# tcpdump -i eth1 ‘ip[0] > 69′

Somehow, the proper way is to mask the first half/field of the first byte, because as mentionned earlier,
this filter would match any IPv6 traffic.

2. The proper way : masking the first half of the byte

0100 0101 : 1st byte originally
0000 1111 : mask (0×0f in hex or 15 in decimal). 0 will mask the values while 1 will keep the values intact.
=========
0000 0101 : final result

The correct filter :

# tcpdump -i eth1 ‘ip[0] & 15 > 5′

or

# tcpdump -i eth1 ‘ip[0] & 0×0f > 5′

DF bit (don’t fragment) set ?
—————————–

Let’s now trying to know if we have fragmentation occuring, which is not desirable. Fragmentation occurs
when a the MTU of the sender is bigger than the path MTU on the path to destination.

Fragmentation info can be found in the 7th and 8th byte of the IP header.

 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |Flags|      Fragment Offset    |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Bit 0:  reserved, must be zero
Bit 1:  (DF) 0 = May Fragment, 1 = Don’t Fragment.
Bit 2:  (MF) 0 = Last Fragment, 1 = More Fragments.

The fragment offset field is only used when fragmentation occurs.

If we want to match the DF bit (don’t fragment bit, to avoid IP fragmentation) :

The 7th byte would have a value of :
01000000 or 64 in decimal

# tcpdump -i eth1 ‘ip[6] = 64′

Matching fragmentation ?
————————

- Matching MF (more fragment set) ? This would match the fragmented datagrams but wouldn’t match the last
  fragment (which has the 2nd bit set to 0).
# tcpdump -i eth1 ‘ip[6] = 32′

The last fragment have the first 3 bits set to 0… but has data in the fragment offset field.

- Matching the fragments and the last fragments
# tcpdump -i eth1 ‘((ip[6:2] > 0) and (not ip[6] = 64))’

A bit of explanations :
“ip[6:2] > 0″ would return anything with a value of at least 1
We don’t want datagrams with the DF bit set though.. the reason of the “not ip[6] = 64″

If you want to test fragmentation use something like :
ping -M want -s 3000 192.168.1.1

Matching datagrams with low TTL
——————————-

The TTL field is located in the 9th byte and fits perfectly into 1 byte.
The maximum decimal value of the TTL field is thus 255 (11111111 in binary).

This can be verified :
$ ping -M want -s 3000 -t 256 192.168.1.200
ping: ttl 256 out of range

 +-+-+-+-+-+-+-+-+
 |  Time to Live |
 +-+-+-+-+-+-+-+-+

We can try to find if someone on our network is using traceroute by using something like this on the gateway :
# tcpdump -i eth1 ‘ip[8] < 5′

Matching packets longer than X bytes
————————————

Where X is 600 bytes

# tcpdump -i eth1 ‘ip[2:2] > 600′

More IP filtering
—————–

We could imagine filtering source and destination addresses directly in decimal addressing.
We could also match the protocol by filtering the 10th byte.

It would be pointless anyhow, because tcpdump makes it already easy to filter out that kind of info.

TCP header
———-

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |          Source Port          |       Destination Port        |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                        Sequence Number                        |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                    Acknowledgment Number                      |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |  Data |       |C|E|U|A|P|R|S|F|                               |
 | Offset|  Res. |W|C|R|C|S|S|Y|I|            Window             |
 |       |       |R|E|G|K|H|T|N|N|                               |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |           Checksum            |         Urgent Pointer        |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                    Options                    |    Padding    |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                             data                              |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

- Matching any TCP traffic with a source port > 1024
# tcpdump -i eth1 ‘tcp[0:2] > 1024′

- Matching TCP traffic with particular flag combinations

The flags are defined in the 14th byte of the TCP header.

 +-+-+-+-+-+-+-+-+
 |C|E|U|A|P|R|S|F|
 |W|C|R|C|S|S|Y|I|
 |R|E|G|K|H|T|N|N|
 +-+-+-+-+-+-+-+-+

In the TCP 3-way handshakes, the exchange between hosts goes like this :

1. Source sends SYN
2. Destination answers with SYN, ACK
3. Source sends ACK

- If we want to match packets with only the SYN flag set, the 14th byte would have a binary
  value of 00000010 which equals 2 in decimal.
# tcpdump -i eth1 ‘tcp[13] = 2′

- Matching SYN, ACK (00010010 or 18 in decimal)
# tcpdump -i eth1 ‘tcp[13] = 18′

- Matching either SYN only or SYN-ACK datagrams
# tcpdump -i eth1 ‘tcp[13] & 2 = 2′

We used a mask here. It will returns anything with the ACK bit set (thus the SYN-ACK combination as well)

Let’s assume the following examples (SYN-ACK)

00010010 : SYN-ACK packet
00000010 : mask (2 in decimal)
——–
00000010 : result (2 in decimal)

Every bits of the mask match !

- Matching PSH-ACK packets
# tcpdump -i eth1 ‘tcp[13] = 24′

- Matching any combination containing FIN (FIN usually always comes with an ACK so we either
  need to use a mask or match the combination ACK-FIN)
# tcpdump -i eth1 ‘tcp[13] & 1 = 1′

- Matching RST flag
# tcpdump -i eth1 ‘tcp[13] & 4 = 4′

By looking at the TCP state machine diagram (http://www.wains.be/pub/networking/tcp_state_machine.jpg)
we can find the different flag combinations we may want to analyze.

Ideally, a socket in ACK_WAIT mode should not have to send a RST. It means the 3 way handshake has not completed.
We may want to analyze that kind of traffic.

Matching SMTP data :
——————–

I will make a filter that will match any packet containing the “MAIL” command from SMTP exchanges.

I use something like http://www.easycalculation.com/ascii-hex.php to convert values from ASCII to hexadecimal.

“MAIL” in hex is 0×4d41494c

The rule would be :

# tcpdump -i eth1 ‘((port 25) and (tcp[20:4] = 0×4d41494c))’

It will check the bytes 21 to 24. “MAIL” is 4 bytes/32 bits long..

This rule would not match packets with IP options set.

This is an example of packet (a spam, of course) :

# tshark -V -i eth0 ‘((port 25) and (tcp[20:4] = 0×4d41494c))’
Capturing on eth0
Frame 1 (92 bytes on wire, 92 bytes captured)
    Arrival Time: Sep 25, 2007 00:06:10.875424000
    [Time delta from previous packet: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Packet Length: 92 bytes
    Capture Length: 92 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp:smtp]
Ethernet II, Src: Cisco_X (00:11:5c:X), Dst: 3Com_X (00:04:75:X)
    Destination: 3Com_X (00:04:75:X)
        Address: 3Com_X (00:04:75:X)
        …. …0 …. …. …. …. = IG bit: Individual address (unicast)
        …. ..0. …. …. …. …. = LG bit: Globally unique address (factory default)
    Source: Cisco_X (00:11:5c:X)
        Address: Cisco_X (00:11:5c:X)
        …. …0 …. …. …. …. = IG bit: Individual address (unicast)
        …. ..0. …. …. …. …. = LG bit: Globally unique address (factory default)
    Type: IP (0×0800)
Internet Protocol, Src: 62.163.X (62.163.X), Dst: 192.168.X (192.168.X)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0×00 (DSCP 0×00: Default; ECN: 0×00)
        0000 00.. = Differentiated Services Codepoint: Default (0×00)
        …. ..0. = ECN-Capable Transport (ECT): 0
        …. …0 = ECN-CE: 0
    Total Length: 78
    Identification: 0×4078 (16504)
    Flags: 0×04 (Don’t Fragment)
        0… = Reserved bit: Not set
        .1.. = Don’t fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 118
    Protocol: TCP (0×06)
    Header checksum: 0×08cb [correct]
        [Good: True]
        [Bad : False]
    Source: 62.163.X (62.163.X)
    Destination: 192.168.X (192.168.XX)
Transmission Control Protocol, Src Port: 4760 (4760), Dst Port: smtp (25), Seq: 0, Ack: 0, Len: 38
    Source port: 4760 (4760)
    Destination port: smtp (25)
    Sequence number: 0    (relative sequence number)
    [Next sequence number: 38    (relative sequence number)]
    Acknowledgement number: 0    (relative ack number)
    Header length: 20 bytes
    Flags: 0×18 (PSH, ACK)
        0… …. = Congestion Window Reduced (CWR): Not set
        .0.. …. = ECN-Echo: Not set
        ..0. …. = Urgent: Not set
        …1 …. = Acknowledgment: Set
        …. 1… = Push: Set
        …. .0.. = Reset: Not set
        …. ..0. = Syn: Not set
        …. …0 = Fin: Not set
    Window size: 17375
    Checksum: 0×6320 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
Simple Mail Transfer Protocol
    Command: MAIL FROM:<wguthrie_at_mysickworld–dot–com>\r\n
        Command: MAIL
        Request parameter: FROM:<wguthrie_at_mysickworld–dot–com>

Matching HTTP data :
——————–

Let’s make a filter that will find any packets containing GET requests
The HTTP request will begin by :

GET / HTTP/1.1\r\n (16 bytes counting the carriage return but not the backslashes !)

If no IP options are set.. the GET command will use the byte 20, 21 and 22

Tcpdump is only able to match data size of either 1, 2 or 4 bytes, we will take the following ASCII
character following the GET command (a space)

“GET ” in hex : 47455420

# tcpdump -i eth1 ‘tcp[20:4] = 0×47455420′

Matching other interesting TCP things :
—————————————

SSH connection (on any port) :
We will be looking for the reply given by the SSH server.
OpenSSH usually replies with something like “SSH-2.0-OpenSSH_3.6.1p2″.
The first 4 bytes (SSH-) have an hex value of 0×5353482D.

# tcpdump -i eth1 ‘tcp[(tcp[12]>>2):4] = 0×5353482D’

If we want to find any connection made to older version of OpenSSH (version 1, which are insecure and subject to MITM attacks) :
The reply from the server would be something like “SSH-1.99..”

# tcpdump -i eth1 ‘(tcp[(tcp[12]>>2):4] = 0×5353482D) and (tcp[((tcp[12]>>2)+4):2] = 0×312E)’

UDP header
———-

  0      7 8     15 16    23 24    31
 +——–+——–+——–+——–+
 |     Source      |   Destination   |
 |      Port       |      Port       |
 +——–+——–+——–+——–+
 |                 |                 |
 |     Length      |    Checksum     |
 +——–+——–+——–+——–+
 |                                   |
 |              DATA …             |
 +———————————–+                

Nothing really interesting here.

If we want to filter ports we would use something like :
# tcpdump -i eth1 udp dst port 53

ICMP header
———–

See different ICMP messages :
http://img292.imageshack.us/my.php?image=icmpmm6.gif

We will usually filter the type (1 byte) and code (1 byte) of the ICMP messages.

Here are common ICMP types :

  0 Echo Reply     [RFC792]
  3 Destination Unreachable    [RFC792]
  4 Source Quench      [RFC792]
  5 Redirect     [RFC792]
  8 Echo      [RFC792]
 11 Time Exceeded     [RFC792]

We may want to filter ICMP messages type 4, these kind of messages are sent in case of congestion of the network.
# tcpdump -i eth1 ‘icmp[0] = 4′

If we want to find the ICMP echo replies only, having an ID of 500. By looking at the image with all the ICMP packet description
we see the ICMP echo reply have the ID spread across the 5th and 6th byte. For some reason, we have to filter out with the value in hex.

# tcpdump -i eth0 ‘(icmp[0] = 0) and (icmp[4:2] = 0×1f4)’

Tagged with:
preload preload preload