 Yeah, I introduced the next speaker because we're right on the money with that talk Let's see here. Who's next scribbles where scribbles scribbles you here scribbles here. Oh, yeah, I'm here Okay, there you are. Sorry. Okay. Scribbles is our next speaker He's going to be presenting advanced packet wrangling with TCP dump. This should be a very interesting talk by the way scribbles Stephen Kennedy is a security engineer and a new Linux enthusiast in Denver, Colorado He holds a ns a master's degree in cybersecurity and information assurance as well as over 20 industry certifications Dude, do you ever sleep? I mean 20 search seriously? Where are you? That is impressive. Okay? I I've got search and they're hard to get over the university system, you know, they just keep paying even in search instead Yeah, well that's true. Yes, I Know exactly what you mean. It's like here's free money. Go to another class. There you go. So He is his first computer is a commuter 64 and he's a survivor of the late 90s early and early late 90s and early 2000s IRC by the way IRC is still alive and working. Thank you very much. So without any further ado here's scribbles Thank you Wonderful. Thank you. X-ray Here Oh, do you have access to the stage? I Do yeah, okay Yeah, if you go make sure that the the stream is looking good to stream set up. Oh, they got it working You did Excellent. Well, our team has been in the background hacking like crazy. So excellent. All right. Thanks, everyone Let me make sure my slides are up over here as well. Good. I I definitely big shout out to the to giggle you on team for figuring this out. It's been a bit of a They're on fire event just to get these slides up. It's everything figured out, which is amazing. So Like I said, my name is Stephen Kennedy Previously spent time as a network security consultant and a network security engineer And of course if you're not familiar with the 14ers Let me see if I can move this slide. This is the new form I can do it myself nice I'm back take a look. Yeah. So if you're not familiar with the 14ers for those are mountain peaks over 14,000 feet or if you're not using freedom mutants, that'd be a 4267 meters You see how far away I can test this I can Beautiful Okay, so TCP dump and LibP cap These projects are both open source. They're developed by the TCP dump group TCP dump is certainly the best known command line interface packet analyzer That you can basically open a terminal and see all the traffic on any of your network interfaces If you do it on a busy enterprise box, you'll barely get a chance to see any text at all It will just all just screen by And you know, you'll just have to hit control C 100 times to get to finally stop Um, so the important part about TCP dump build filters to slow some of that stuff down So it's first released in 1988 and I believe you're not is still an active development I'm still an extremely useful tool and it's absolutely keeping up with the times So, uh, you know a big part of this talk is encouraging you to to dive deep on this one So LibP cap is the library That TCP dump uses to interface with the kernel In windows, this is called a wind peak up and the windows version of TCP dump is called a wind dump and See here. Yep. So right around 1993 at uh usenakes, you're not familiar with usenakes. It's a famous conference Um, we're a lot of technical papers are presented But back in 1993 the the folks that that created TCP dump at Lawrence Berkeley laboratory is actually delivered a paper on What they call bsd packet filters? You might have seen the phrase bpf being thrown around. It's usually associated with TCP dump At this point Bpf has exploded into a number of uses of ways to filter and access all these other bits of information That require really quick access because you know, the CPU is really quick. There's a lot of process activity It's no longer just about network activity. But if you start searching around you, you'll see that Most of the stuff online about it is going to be somehow relating to network filtering All right. So the next slide here So this is the why should I care slide? So this is a pretty important part, right? So whenever people hear that these p dump is you know from 1988 You know, there's a little bit of that You know, I've been trying to be dragged in back into Linux command line again And I've never seen this stuff before as this may take to learn stuff like that, right? Um, this is an incredibly useful tool for your skill set Um, and I really wanted to prove that out to you So the the pkaper it didn't happen, uh Picture on the previous slide. So, you know, it's popular slogan for shirts and everything It's not just a clever phrase, right? It's Generally true. If it didn't go across the wire, it probably didn't happen Um, you know, perhaps there's scenarios where it where you're blocked from viewing it and sure, right? Um, those are few and far between So it's very important as a tool to be able to prove things that you need to prove to someone else or to prove That someone's claiming to you So how would that work? So sorry, you know, I think If you've ever worked in an IT environment Um, you've been on either side of this conversation and and probably will be for the rest of your career But that conversation where maybe you're a server owner And and you just stood up or maybe you own a couple servers, right? A couple of services running on it and one of your co-workers just stood up a new server And it needs to connect to yours and they come to you and say, hey, I need this, you know Can you give me this token or whatever so I can connect to your service? You go? Yep, made an account for your token Go go do your thing and configure the stuff that you own And then they they come back and they go well, hey, you know I configured it and the only message that I got was connection failed Right, so connection failed doesn't tell us very much. Is it a You know, is the network actually down? Did we did something actually fail? It doesn't it doesn't tell us very much of anything Did it even try to get on the network? Maybe it can't even access the network adapter itself So error messages can be terrible. I think we all know that You know and developers can be very hit or miss on that sort of thing and log messages in general are you know Aren't always much greater. So so this is that part where you where you can start to lean on the network to be like, well, wait a minute Um, so me as the server owner if my co-worker comes to me and says, hey, I tried to connect to you and it just didn't work One of the first things I'm probably going to do is You know, we're obviously going to double check the information that he was given Maybe the ip was wrong or something like that Um, if you use a tool like PCP don't because say, hey, well, what's your server IP? Go ahead and try to connect to me to me again. And if I don't see any traffic come to my interface There's something else is going on Right, we've already ruled out this entire service and you know, again If you're in that it space, you know that you just stopped an entire circus from happening potentially five meetings, right? Um, so it's very important that you be able to rule things out Um improving their claim right and so another great example is that you know in a in a past life I was working for a vendor that this old security appliances And a customer had one installed in tokyo And this appliance would make a tunnel back to a data center in the u.s And the tunnel kept failing and and the response from the customer is you know, as you'd expect You know they paid a lot of money for it is your appliance is broken. You need to figure it out and fix it um and so We started looking at the appliance and it took a bit to you know See what was going on and every time the connect the tunnel would open So we were looking at it from the point of view of the box that's in tokyo every time we see that sin go out We'd immediately get a reset back Right and so if you think about it, you know, you don't have to know a ton about you know networking to realize that You know one millisecond or less isn't enough time for that sin to go from tokyo to Atlanta Right that's breaking the laws of physics So if we're immediately getting a reset right after we attempt that connection We know that there's another network device Nearby potentially maybe even in the same office Ascending that reset and so we were immediately able to call that out and get their network engineers on the line and be like What is this? I look at the time stamps like this doesn't make sense And boom, you know, they found out that they hadn't actually properly implemented the acls And the connection was open and the tunnel was able to work right so the point of those stories of course being that um, you know This tool can look very esoteric, but it's important Um, it's our third of course threat actors aren't the only ones that live off the land Whenever we hear that phrase we always think about you know threat actors having to come in and you know They can't you know upload certain tools so they have to live off the land, right? um That happens to us too Right, so so when you work in a highly regulated or highly secured environment Um, if you have if you have customers that are you know, uh in the energy industry Or potentially, you know, if you're working in a fed ramp environment with with uh government customers You know this problem well whenever you run into a problem Someone's always going to bring up some really slick tool from github. I was just written four weeks ago probably didn't go and You can't just go download and install that it would break compliance regulations you'd be tons of paperwork And this is generally, you know, what we call, you know, if you try to circumvent those sorts of things This is generally what we consider a career limiting move right So this is the important pieces that you know, I just really wanted to highlight and make sure that uh, uh That we got through here when we're talking about tcp done so This is skill that also pays dividends right the more you invest in this the more you practice The better you're going to get at it some of the technical details here if you if you don't practice them It's not going to stick. It's just like anything else in life But it's not as hard as it as it can look initially So please understand that this does require a basic understanding of the tcp ip protocol stack If you're a networking newbie, this will this will help you get an idea of what's possible with this tool Let's see So once we get through the syntax, we're going to do some more advanced filter techniques But certainly don't be uh, don't be don't be discouraged because things will get a little weird here Let's stick with So some basic syntax you've probably seen a good bit of this Um, if you are familiar with tcp dump, um, so on the left here, we've got our flags Color coded so so if we look at the command across the top right so we've got capital x So that's going to show the output in both hexadecimal and asky The n is don't resolve hosts and ports Typically we do that just because we just want to see port numbers and we want to see ip You know, I don't want resolution and dns getting in the way because we know that always gets messy Um For I also very important one when I specify the network interface, we're monitoring Um, so you know in this example, we're going to be looking at each zero and then for the dash c We're going to specify the packet count which this way you can say hey, you know You might match a a million packets with this filter. Just show me five. That'd be great, right? Um, so we look on the right side here filters and operators so Pretty easy to read in english So so right after we get to pass that c5 on the top left We're going to move into um what I put in single quotes The reason you typically want to do that is because the the tcp dump filters can start to use characters that might be interpreted by your shell Uh, we're talking about like an ampersand or parentheses or things you might have to escape otherwise It gets it gets messy just use single quotes and then you don't have to worry about it, right? Um, so tcp and you see we got to open parentheses That's matched by a closed parentheses on the other end of the line. Remember this is, you know, just like in math class You know, we'll order of operations. We've got to start with the parentheses first And what we're saying here is source host this ip address Or source host this other ip address So this is this filter is going to show us any packet that is tcp And source from either of those posts Easy enough, right? We can also see that there's other things you can do you can do port support ranges Uh, you specify protocols tcp udp isp multicast Um, and so not and or at the bottom line I wanted to go to hit that one first look right above it Of course, the knot and the negation is the estimation point Just like in in bash the double ampersand is an end Just like in everything else the the double pipe is an or Um, and we've had some other characters that are available to us less than greater than equals the m parentheses to help divide some things okay, so filtering at the transport and network layers so a really cool Nature of tcp dump is that you do have some convenience flags This is done by the development team, you know just kind of thrown in there some really common things that you're going to need to do There's no reason to bring math into this right like let's just do something easy where we can look at a table and figure this out And again, this is pretty uh, English readable. You'll see the flags on the left if you're familiar with the tcp protocol You'll recognize the flag names Um, what we have is, you know tcp thin tcp sin reset push act And then the message types. These are all icmp messages down here So the most common ones you're going to recognize are of course, uh, uh icmp message type eight and mesh type zero Which are echo and echo reply or ping and ping reply. It's the most common way of knowing it So in the examples up here Let's look at one of these written out using some of these keywords So you have tcp and then in square brackets tcp flags and Front to see tcp sin or tcp fin does not equal zero So it's pretty obvious what the first part does right so we're filtering on the tcp flag section of the tcp header And I want you to show me packets where either the tcp sin flag or remember that pipe isn't or Or the fin packet is not zero Right, so remember a packet is actually binary when it's on the wire. It's a one or zero. It's on or off So if it does not equal zero then it must be a one which means it must be on To show me packets where sin or fin are on Okay, and the same thing with the icmp message down here. I'm pretty straightforward icp type does not icmp echo And it does not equal icmp echo reply that would essentially show you every icmp packet that is not related to ping Good simple, right? Let's move on to the next slide here. All right, so So the big question is we see those we see those keywords right and a very convenient very nice easy to remember Um And things start getting weird. So how do those keywords work? But why are they convenient and why would they go out of their way to do this for us? How do they how do they go into a packet and pull out that section of the packet? so In this diagram here the the big part in the center. So that's actually the tcp header All right, so familiar with tcp ip you'll know that typically the ipv4 headers at the top And then in order to get around tcp needs its own that requires ipv4 And so below the ipv4 header you'll have the tcp header And then the payload so all the data that's being moved around below that This tcp you'll notice in this header doesn't talk about ip addresses. It just talks about ports IP addresses are up in the ipv4 header So when we talk about tcp sin tcp fin what's actually happening and again these are examples from previously right You look down at byte 13 down here in green. You'll see tcp flags It says c u a p r s f So what that actually is is those are all of the tcp flags Look on the left hand side over here What we have is this table that's showing urge act push reset sin fin Right, so these are a lot of the flags that you hear on a regular basis right the sin sinak act for the tcp three-way handshake um the order of those matters And so when we're going in and we're looking at a header like this it can be very confusing Right, so there's lots of numbers and lines and things like that So at the very top left is byte zero or byte offset zero that's the beginning of the tcp uh header Right, so for the next eight open slots here, so we'll count them off one two three four five six seven eight So where that one is right above the word source That's a whole byte and one byte is eight bits right and you'll see there's a line in the middle That's a little bit darker. So a half byte is called a nibble. So four bits is a nibble eight bits is a byte So it's pretty easy to say the source port field of tcp header takes up two whole bytes right easy enough so We look on the top left What where this binary diagram is what we'll see is actually The top column in blue is 128 64 32 16 8 4 2 1 you'll see that 128 keeps getting cut in half as we go And then there's ones and zeros along it So think of each of these slots or each of those columns there. There's eight of them it match up with the eight bits in a byte Right, so as we go across starting a byte offset zero here, that's going to be 128 64 32 16 8 4 2 1 Okay, so as they're coming across the wire again electronically It's just a one or zero or an on pulse or an off pulse, right? So in this in this diagram up here, so we see it's one zero one one zero zero zero one All you have to do is where there's a one you just add that number. It's that simple 128 plus 32 plus 16 plus one equals one seventy seven Great. I mean that's binary math, right? It's really just adding where there's a one And just know that after that one at the very end here along the top column It just starts over again at one So it goes forward to one one 28 64 32 And that's going to keep going along the whole top of all of these fields over and over and over again And that's how your computer is interpreting these values your network card rather so Back to the point about the filter examples Right, so we already went over the the the verbal one or the the keyword one tsp sin or tsp fin does not equal zero But the line below it is actually equivalent The tsp 13 and two or one does not equal zero So you might have put two and two together now and realize that that tsp 13 the reason that's equivalent to tsp flags Well tsp flags where it's green right here is actually byte 13 of the tsp header. We're saying start it that byte As what about this ant part so and two or one? Go back up to the binary chart. That's the two bits on the far right of the 13th byte here Here's the s and the f the sin and the fin Right, so if there's a one and a one here then We could match Right, so if so if this if starting from byte 13 of this field tsp flags is 000 0010 it's going to show up with our tcp dump filter And that's about as hard as this gets right it gets a little weirder, but that's about as hard as it gets So if you're following me there, you're doing a great job, right? um So the next slide We can get a lot more precise than that and so You know if you field in your chest the first time you see a filter like this, you know, you're not alone. I've certainly been there um This is whenever those keywords don't match what you need to look for in tsp dump or on the wire Right, so we start seeing things some of this might make sense based on what we've been talking to we've got ip Sure, I see the brackets where they have the byte numbers. I can look at those right tsp 12 Okay, not equal zero What does any of this mean? And and where do we even begin so so we're going to break this down into three parts the tsp 480 and pretty straightforward But it's we're going to break this down to three filters got the blue in here Uh, what is that coral coral we'll get with coral and then uh, and then this this yellowish color here We're going to break this into three different filter pieces and and go through them All right, so this is the ipv4 header rc 791 the filter we're looking at is the first part of the uh The original one on the previous slide here So we're looking at ip 2 and 2 as the first portion of what we want to figure out As the goal here is just to figure out what it is that this filter does So okay, so ip 2 and 2 so we hadn't seen the colon 2 before but we know that that 2 probably means the second byte So the top left we see the offset and length So the whenever you do the 2 and 2 is just like a range just like you would do in python or another language like that So it's saying from byte 2 So where the blue arrow here on the diagram begins I want the next two bytes the from byte 2 1 2 and there's the end of the line. So We're we're basically done with the ip 2 and 2 portion if you look at the header We know that it's asking for the total length field So we're basically saying whatever value is in the total length field Is going to be swapped out In the filter as we go and at the bottom here one of the cool things about this diagrams It has a couple definitions what the fields do because some of the fields are a little different So total length is the total length of the ip diagram or ip fragment if fragmented and it's measured in bytes That's already in bytes and that's what we probably want. So we're just going to go with that easy All right, but then the next one is this ip 0 and 0 x f s l s n 2 right, so so that looks pretty Pretty strange. Let's move on to the next one and take a look So we're going to validate our our length field here. Um, so this is the first time that we're taking a look at the t speed on output Um, I hope everyone can see this. I'm going to slide down here so that I can get a first look as well Um, so you can see that I'm using uh at the very top line I'm using the filter that we were looking at tb 13 and 2 or 1 is 9 equals 0 Great, so on the third line of this whole screen here is a timestamp at 13 45 Each one of these timestamps is a packet that match that filter that tcp dumps outputting and showing us As we read across we see ip okay ip 192 168 1140 is reaching out to this 174 address and port 80 I'm gonna You know make a leap and say that's probably htdp traffic. I think that's safe to say, right um as a little bit further than that it says flags uh bracket s bracket So in tcp dump output that s actually represents that sin flag being on the tcp sin And if we look directly below that s into the next packet where it says s dot That s dot the dot is an act So what we're seeing here is part of the three-way handshake. So we see s and s dot So so the the host that received the sender replied back with his senac What's in the red box Is actually uh the part of the packet that we were just filtering for the ip 2 and 2 So why is it all the way over here in these weird characters? So if you've never seen hex before, um, hopefully you have but if you haven't Hex is typically represented when it's written beginning with zero x in order to separate it from other types of values like decimal Um hex is a base 16 counting system So we're doing zero through nine and a through f are the valid characters So f is 15 the reason why f is not 16 in the base 16 counting systems because we count from zero Right so zero zero three c So each character up there is actually one nibble So if we if we started the top left to see that 4500 to the left of the red box We've actually looked at our our header diagram and see okay version. That's that four ihl that's a five Hex type of service zero next nibble zero now. We're into the red box 003 c so uh first nibble zero second nibble zero Then there's a three then there's c Well, three c doesn't make any sense to us. We thought this was supposed to be in bytes Well, it is it's just an hexadecimal right now Right, so we have to convert that to decimal at the very top just above the screenshot You can see hex zero zero three c equals 60 You convert that value to decimal that's 60 bytes right This next slide here So back to the uh the second part of the this is what the coral filter right the ip zero and zero xf lesson lesson two So so let's actually going down we're going on here. I'm going to exit the stage here for a moment so If we if we we're going to start at the very top left um and what we can see is That ip zero simple enough we're going to look at the ip header We're going to start it bite offset zero show me that first byte great. There's the first two nibbles right two nibbles in a byte and So that part's done, but we haven't finished dealing with the rest of the parentheses yet Right, so that ampersand zero zero i'm sorry hex f The ampersand is telling you that we're going to bit mask Right and and so what we're going to do is we're going to mask this These eight bits in this single byte And what that means so we need to take that the hex a decimal f we need to convert it to decimal f and decimal is 15 like we were just talking about And in binary it's one one one one Why is it one one one one well again if we imagine the 128 64 32 16 8 4 2 1 across each bit in this byte What you're going to see is it actually breaks out to zero zero zero zero one on one because eight four two one totals 15 Right, and so that's why we opted to give it that the hex f value So with this mask applied We have now told tcp done. Hey, I know that you only let me tell you Which whole byte to start on but I really needed a half byte And that doesn't help me very much so i'm just so i want you to start at zero But now use this mask to to carve out The this nibble forming right and you can you can do this a lot of different ways There's a lot of cool tricks you can do but this is the concept So the ihl field in tcp done I'm sorry in the the ip header is actually the header length And so this typically Almost always is a five And so the reason for that is that ip options are generally no longer used ip options is the last field in an ip header So There's just one of these you know One of those things in life that you just have to accept It's a weird rule where the story takes longer than it does remember the rule Please remember that when that field has a value in it you multiply it by four And that tells you the number of bytes that the header is It's almost always 20 bytes because again ip options just aren't used So I went ahead and put that five over here Right and below it we have the binary chart and so we finish the parentheses and we're still left with that less than less than two But what does that mean? So the less than two actually means we're going to bit shift the value in parentheses by two You haven't heard of bit shifting sounds really complicated and cool. It's extremely simple So we're going to take that value And we and we know that we need to multiply by four to get the bytes, right But the interesting part is that bit shifting left by two is the same thing as multiplying by four I say again bit shifting left by two is the same as multiplying by four And the reason that is is we come over here and look We have uh zero one zero one in this in this left binary table here, right? So eight four two one All all I did was literally slid The value in the left table two bits over and any new spaces that are created you just throw zero in there Because we're not we can't create new ones Right, so then it just becomes one zero one zero zero So we essentially multiply by four because we went from four and one makes five to 16 and four makes 20 That's an interesting bit of binary math and also, uh, you know, if you've if you've never, uh Delved into how CPUs at a very low level do complex math This is the very beginning of how that stuff works The advanced survive has been above my head for a long time. Um, but this is a this is a very general idea of how that binary math works Um So that's it, right? Uh, so one of the most intimidating pieces So onto the third filter This looks very much the same. Um, you already know what to do here So we're starting with the uh with the tcp header We started the 12th bite And we can see the header up here at the very top right so the 12th bite we look on the left hand column There's those bite offset values in red. You can actually just go straight down to 12 You don't even have to count that's nice and easy right on a simple edge line there So we're looking at the offset value So if you don't know what the tcp offset value is that value tells you in bites How far from the from offset zero of the tcp header does the tcp payload begin? right, so The reason why that's important and less important than the ip Uh, uh header or header length value is that like I said ip options aren't really used anymore. So it's almost always 20 bites tcp options are absolutely used all the time So we do need to calculate this value and it does matter, right? So we're looking at tcp 12 and we know which which part that is great But again, we're on the problem where the offset value in the header diagram The diagram shows us that offset is not a whole bite Like source port was where it was nice and easy So we need a bit mask again just to grab that first nibble so The bit mask is uh hex f zero remember the previous Mask was hex f in order to get the far right for best now We want the far left four bits the which is the higher order bits a 128 64 32 16 We're going to do the same thing. We convert that to binary uh and in binary Uh, check my notes. Yeah, that comes out to 240 And so that 240 We built uh, we build that out Yep, so we get the 1111 000 sorry. I was looking at my notes there and um, that gets us our mask So that's the that 240 is the whole half nibble there We dropped down and I went ahead and selected 80 from one of the packets that we match on a future slide So we have data to work with And um, that's what that's what's actually in the offset value for a real tcp packet Right, so we use that 240 to get the mask And then once we actually look in that field using that mask, we realize that there's an 80 in there All right, so an 80 is made up of 64 plus 16 great Got that but we still need to bit shift two to the right Well, if bit shifting left by two is multiplying by four Uh, I certainly didn't do well in math in school Um, but I'm pretty confident that bit shifting right by two is probably going to do the opposite and it's going to divide by four And and so if we look and we that's exactly what we just did We just rolled those ones two places to the right It's that simple Now if you find yourself rolling off That there's a whole other problem that begins there, right? But that's as unlikely to happen in these much more simple binary math situations um That's it. So now we've got 20 as the result of this filter Wow So let's go back to our original extremely intimidating complicated filter Um And the point of that filter was to view only ipv for hdp packets that contain a payload And that's a tough one right because if probably come up to you and say, hey, you know, I want to I want you to show me hdp packets This first thing everyone's going to do You know t speed up and an i8 zero for 80 Well, that doesn't that doesn't satisfy the other part and needs to contain a payload, right? Plus anything could be on port 80. That doesn't have to be hdp. It just probably is Okay, so if we look at this again think back to you know last time you did math order of operations um We've got a color coded here. So what we actually did was we we looked for a t speed for 80 and We need the ipv for total length, which we got that was 60 the tcp header length We got that that was 20. Those are in the first parentheses. We have to break that down And then whatever that resulting value is which is of course 40 Uh, we need to subtract the tcp data offset from that That gets us down to 20 It's not equal zero, right? I would generally agree that 20 does not equal zero That brings our filter all the way down to tcp for 80 and true right, so so true is just a more of a uh A boolean kind of keyword type here, right? So it's not an actual tcp dump keyword that you can use We're using it to display that tcp dump is looking at every packet and unbelievably, you know, it's just the speed of You know traffic here is performing all this math on every single packet that goes by And satisfying these values doing this calculation and see and if it can satisfy your Filter case report 80 and and this all has to work out to true false. Don't show it to me right Fantastic all right, so success so, uh At the very top again, you can see that i'm using tcp dump and just go back to one of our first slides I use xnr we met dash r is to read a peek up So i'm reading htp dot peek up Which is one I pulled from a public traffic repository. There's a lot of those out there highly recommend Using them as a playground to test these And it did the filter we've been looking at all across and we've got something So if you're familiar with htp, you can actually see in the ascii here on the on the Middle right hand column here. You can actually see the get plus images logo dot png hb slash one dot's area That's definitely an htp payload And uh, and so we're successful Do we have any questions for our speaker? We got uh, it looks like we're actually missing a slide here. Um, oh Oh Let me just give you a couple resources here real quick. So, uh pcp dump dot org is actually a fantastic resource Um, you know for folks that have been around that long I just you know can't believe how good of a job they've done with documentation Um As is not necessarily the always the case tcp dump 101 dot com It will help you build filters like this with a gooey, right? Save yourself some time Help to play it around with it figure it out The man pages for tcp dump and pcap dash filter fantastic The long filter we looked at today came from The tcp dump man pages. There's even an explanation at the bottom Right, one of the best man pages. I've seen out there. Um, if you're familiar with the awesome projects awesome That's pcap tools. Take a look at that page. I'm not just uh, uh Pushing it out there because I'm one of the maintainers of it. It's actually a great list Um, take a look and please help, you know, if you have any uh tools that we're missing on there If you felt intimidated by any of this and you're you know, what the hell is he talking about if you for tcp Sins and acts you need to brush up on your networking Take a look at professor messer on youtube. It's a fantastic network plus video series You don't have to take the cert if you don't care Um, but just the content in the series is worth your time. I think it's only like eight hours on um It's free trainable, right? That's right. It's free training. Absolutely. Um, and uh final final few pieces of some tips and tricks Um, a lot of people prefer wire shark for their own reasons um It is possible to use ssh to pipe A tcp dump session back to your local host and have it display in wire shark Just Google that there's a long ssh command that you can do it with another common thing that will come up in uh doing This at work is you're going to find out that uh, you know, there's going to be situations where You know, this only happens when my database server sends this one weird packet at 2 a.m Ever since they did this update you're not going to want to be there at 2 a.m Because it's not to happens at 4 a.m If you need to start a long standing tcp dump with a complex filter You can actually start it with an ampersand at the end Which of course in the in the unix world is going to background that session for you If you get disconnected, even if it's backgrounded, that's still going to kill the tcp dump You can use a command called disown To separate the command from you and then disconnect It'll keep running in the background whenever you get whenever you recap We're coming back in the morning and you need to kill that session and grab your pick up You can send a pick up with with the kill command To that pit It's um Well over time here Certainly appreciate everyone sticking around if you have any questions feel free to grab me My twitter handle is at 404 scribbles If you have any questions, you know, uh, any ideas or anything that you think I missed Certainly feel free to reach out and love to chat and share ideas. Thank you