Filtering hosts :
—————–
- Any traffic involving 192.168.1.1
# tcpdump -i eth0 host 192.168.1.1
- Src only
# tcpdump -i eth0 src host 192.168.1.1
- Dest only
# tcpdump -i eth0 dst host 192.168.1.1
Filtering ports :
—————–
- Any traffic involving port 80
# tcpdump -i eth0 port 80
- Src port 80
# tcpdump -i eth0 src port 80
- Dest port 80
# tcpdump -i eth0 dst port 80
Network filtering :
——————-
# tcpdump -i eth0 net 192.168
# tcpdump -i eth0 src net 192.168
# tcpdump -i eth0 dst net 192.168
Protocol filtering :
——————–
# tcpdump -i eth0 arp
# tcpdump -i eth0 ip
# tcpdump -i eth0 tcp
# tcpdump -i eth0 udp
# tcpdump -i eth0 icmp
Putting it together :
—————————
Negation : ! or NOT
Concatanate : && or AND
Alternate : || or OR
# tcpdump -i eth0 ‘((tcp) and (port 25) and ((dst host 192.168.1.10) or (dst host 192.168.1.11)))’
# tcpdump -i eth0 ‘((icmp) and ((ether src host 01:23:45:67:89:10)))’
# tcpdump -i eth0 ‘((udp) and ((dst net 192.168) and (not dst host 192.168.1.1)))’
Advanced header filtering :
===========================
proto[x:y] : will start filtering from byte x for y bytes. ip[2:2] would filter bytes 3 and 4 (first byte begins by 0)
proto[x:y] & z = 0 : will match bits set to 0 when applying mask z to proto[x:y]
proto[x:y] & z != 0 : some bits are set when applying mask z to proto[x:y]
proto[x:y] & z = z : every bits are set to z when applying mask z to proto[x:y]
proto[x:y] = z : p[x:y] has exactly the bits set to z
Operators : >, <, >=, <=, =, !=
IP Options set?
-----------------------------
usually 01000101 in binary
0100 = 4 in decimal. This is the IP version.
0101 = 5 in decimal. This is the number of blocks of 32 bits in the headers.
0100 0101 : 1st byte originally
0000 1111 : mask (0x0f in hex or 15 in decimal). 0 will mask the values while 1 will keep the values intact.
=========
0000 0101 : final result
The filter :
# tcpdump -i eth0 'ip[0] & 15 > 5′
or
# tcpdump -i eth0 ‘ip[0] & 0x0f > 5′
Matching datagrams with low TTL
——————————-
Find someone on network using traceroute using this filter on the gateway
# tcpdump -i eth0 ‘ip[8] < 5'
Matching packets longer than X bytes
------------------------------------
X is 600 bytes
# tcpdump -i eth0 'ip[2:2] > 600′
TCP
———-
- Matching TCP traffic with source port > 1024
# tcpdump -i eth0 ‘tcp[0:2] > 1024′
- Matching TCP traffic with particular flag combinations
The flags are defined in the 14th byte of the TCP header.
- Match packets with only the SYN flag set, the 14th byte would be 00000010
# tcpdump -i eth0 ‘tcp[13] = 2′
- Matching SYN, ACK – 00010010
# tcpdump -i eth0 ‘tcp[13] = 18′
- Matching ACK – 00010000
# tcpdump -i eth0 ‘tcp[13] = 16′
- Matching PSH-ACK
# tcpdump -i eth0 ‘tcp[13] = 24′
- Matching any combination containing FIN
# tcpdump -i eth0 ‘tcp[13] & 1 = 1′
- Matching any combination containing RST
# tcpdump -i eth0 ‘tcp[13] & 4 = 4′
Matching SMTP data :
——————–
Match any packet containing “MAIL” from SMTP
“MAIL” in hex is 0x4d41494c
# tcpdump -i eth0 ‘((port 25) and (tcp[20:4] = 0x4d41494c))’
This rule would not match packets with IP options set.
Matching HTTP data :
——————–
Match GET requests
The HTTP request will begin by :
GET / HTTP/1.1\r\n
If no IP options are set.. the GET command will use the byte 20, 21 and 22
“GET ” in hex : 47455420
# tcpdump -i eth0 ‘tcp[20:4] = 0×47455420′
UDP header
———-
# tcpdump -i eth0 udp dst port 53
ICMP header
———–
Filter ICMP messages type 4
# tcpdump -i eth0 ‘icmp[0] = 4′
ICMP echo replies only, having an ID of 500
# tcpdump -i eth0 ‘(icmp[0] = 0) and (icmp[4:2] = 0x1f4)’