tcpdump mailing list archives
Re: understanding filtering
From: George Bakos <gbakos () ists dartmouth edu>
Date: Tue, 17 Dec 2002 11:56:47 -0500
Actually, you can calculate the offset of the tcp payload by examining tcp[12] and adjusting accordingly. The following filter will match on the string "QUIT" regardless of tcp options length: tcp[((tcp[12] & 0xf0) / 4):4] = 0x51554954 You need to first mask off the low-order nibble and then bit-shift the result (divide by 16), then multiply that by 4 (bytes per word) to arrive at the actual data offset. Cheers! On Mon, 16 Dec 2002 22:39:11 -0800 Guy Harris <guy () netapp com> wrote:
On Mon, Dec 16, 2002 at 08:45:46PM -0500, Sam Carleton wrote:My first exposure to pcap was through the program snort. Being a C/C++ Windows programmer, I would like to have a bit more control over the info I would like to capture. Thus I am now looking into pcap as the engine for my packet capture program. The only thing I am scratching my head about is the filtering. I need to filter based on content, the first two bites of the packet, not the addr or even port. Can I create a rule for pcap that will filter based on content?Yes: hostname$ man tcpdump TCPDUMP(1) User Commands TCPDUMP(1) NAME tcpdump - dump traffic on a network ... expression selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Oth- erwise, only packets for which expression is `true' will be dumped. The expression consists of one or more primitives. ... In addition to the above, there are some special `prim- itive' keywords that don't follow the pattern: gate- way, broadcast, less, greater and arithmetic expres- sions. All of these are described below. More complex filter expressions are built up by using the words and, or and not to combine primitives. E.g., `host foo and not port ftp and not port ftp-data'. To save typing, identical qualifier lists can be omitted. E.g., `tcp dst port ftp or ftp-data or domain' is exactly the same as `tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'. Allowable primitives are: ... expr relop expr True if the relation holds, where relop is one of >, <, >=, <=, =, !=, and expr is an arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators [+, -, *, /, &, |], a length operator, and special packet data accessors. To access data inside the packet, use the following syntax: proto [ expr : size ] Proto is one of ether, fddi, ip, arp, rarp, tcp, udp, or icmp, and indicates the protocol layer for the index operation. The byte offset, relative to the indicated protocol layer, is given by expr. Size is optional and indicates the number of bytes in the field of interest; it can be either one, two, or four, and defaults to one. The length operator, indicated by the keyword len, gives the length of the packet. For example, `ether[0] & 1 != 0' catches all mul- ticast traffic. The expression `ip[0] & 0xf != 5' catches all IP packets with options. The expres- sion `ip[6:2] & 0x1fff = 0' catches only unfrag- mented datagrams and frag zero of fragmented datagrams. This check is implicitly applied to the tcp and udp index operations. For instance, tcp[0] always means the first byte of the TCP header, and never means the first byte of an intervening fragment. so as long as you're testing bytes at *fixed offset* from the beginning of the link-layer (e.g., Ethernet), network layer (e.g., IP), or transport layer (e.g., TCP) header, the libpcap filter syntax can handle it. Note, however, that the length of the TCP header is not necessarily fixed length, as it might have options, so if you want to, for example, filter based on the content of the TCP payload *and* you want it to handle TCP packets with options, you'd have to construct the BPF filter code yourself.The other thing I need a bit of help with is the flags. I understand the basics, but I have never done any heavy dude IP programming. The snort rule I have contains "flags:AP+". From looking at the snort docs, that means ACK, PSH, and "ALL flag, match on all specified flags plus any others". Would not simply have a + get the same thing done?That is not a valid libpcap filter expression. With older versions of libpcap, you would have to test the appropriate byte of the TCP header by hand; see RFC 793 to see what byte, and what bits, that is. With newer versions of libpcap, you can test some bits by name: Some offsets and field values may be expressed as names rather than as numeric values. The follow- ing protocol header field offsets are available: icmptype (ICMP type field), icmpcode (ICMP code field), and tcpflags (TCP flags field). ... The following TCP flags field values are avail- able: tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp- push, tcp-ack, tcp-urg. ... EXAMPLES To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host. tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet' If you want that on Windows, you'd need, I think, WinPcap 3.0 alpha - I think 2.3 was based on a version of libpcap that didn't have those symbolic names. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
-- George Bakos Institute for Security Technology Studies Dartmouth College gbakos () ists dartmouth edu voice 603-646-0665 fax 603-646-0666 Key fingerprint = D646 8F91 F795 27EC FF8B 8C95 B102 9EB2 081E CB85 - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- understanding filtering Sam Carleton (Dec 16)
- Re: understanding filtering Guy Harris (Dec 16)
- Re: understanding filtering Andrew Brown (Dec 17)
- Re: understanding filtering George Bakos (Dec 17)
- releases (was Re: understanding filtering ) Michael Richardson (Dec 17)
- Re: releases (was Re: understanding filtering ) Guy Harris (Dec 17)
- questions perf about tcpdump->libpcap->freebsd rmkml (Dec 17)
- Re: understanding filtering Guy Harris (Dec 16)