Monday, December 25, 2023
File Light
Filelight is a handy disk forensics tool though it wasn't designed to be, that I know of...in a CTF question I am looking in an appdata folder called Comms for evidence and I wanted to see if the folders were all the same size...
Wednesday, July 19, 2023
Gone In 60 {Seconds,Minutes,Hours} Learning from 3 live, realistic end-t...
Highly recommend this video. Jeff is a fantastic instructor!
Thursday, May 18, 2023
IP Header Text Summary
Byte 0 - Bits 0-3 - IP version Byte 0 - Bits 4-7 - IP header Length Byte 1 - Differentiated Services or TOS Byte 2 & 3 - Total IP datagram length Byte 4 & 5 - IP Identification Field Byte 6 - Bit 0 - Reserved Bit Byte 6 - Bit 1 - Don't Fragment bit Byte 6 - Bit 2 - More Fragments bit Byte 6 - Bit 3 - First bit of Fragment Offset Field Byte 7 - Fragment Offset Field (with one bit from byte 6) Byte 8 - Time To Live Field Byte 9 - Embedded Protocol (TCP, UDP, ICMP, etc.) Byte 10 & 11 - IP Header CheckSum Bytes Bytes 12-15 - Source IP Address Bytes Bytes 16-19 - Destination IP Address Bytes 20 - 59 (optional) IP options - Loose or strict source routing, etc. Minimum IP header size, 20 bytes, maximum size 60 bytes
Tuesday, January 24, 2023
Embedded Protocol Field
The 9th field offset from 0 is the Protocol field, also known as the embedded protocol field. This field tells you what transport protocol is encapsulated. TPC, UDP and ICMP are the most common ones but it could be any valid protocol, which all have an assigned number. TCP is 0x06, UDP is 0x11 and ICMP is 0x01. There's a list at IANA for reference at https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
Primitives take care of the common ones. tcp, udp and icmp are all BPF primitives. Their equivalent would be ip[9]==0x06, for TCP as example. You could also shortcut anything less than 10 and use the decimal equivalent, for example, ip[9]==6 but it's good form to use hexadecimal as there are protocols higher than 9 and that will keep you from an error using decimal where hex is needed. It's also good form to always enclose your BPFs in single quotes. Not all expressions will require them, but if you use one that does need it you won't end up with an error to troublehshoot.
BPF Man Page: https://biot.com/capstats/bpf.html
Subscribe to:
Posts (Atom)