wait for it…………..

So I’m writing my GCIA Gold paper on Network Data Visualization for Computer Network Defense. More than likely I’ll be posting some stuff regarding the research. Right now I am focusing on Open Source tools found on the DAVIX distribution. Anyone out there with some experience on the subject I would love to pick your brain.

So I passed with an 88………..kind of disappointed I didn’t do better, ridiculous mistakes, oh well. I had two questions that were flat out wrong and I contacted the GIAC. Enough about that, now I just need to come up with a topic for my Gold paper. Any suggestions……………

Thanks to Uncle Sam I will be taking the GCIA on the 27th of this month. Wish me luck, I doubt I will need it but I have heard that it is a ball buster. Im pretty confident I have the material down, and I will be taking the practice tests soon so I will have a bit of time to bone up on anything that I’m lacking.

So I am studying for the GCIA and most of my upcoming posts will be in preparation for that. Im studying off and on right now but I will be heading to the IAE in Nashville late next week so I should have plenty of time to kick it into high gear. I will be scheduling the challenge for late Feb. Wish me luck……..

Filtering hosts :
—————–

- Any traffic involving 192.168.1.1
# tcpdump -i eth0 host 192.168.1.1

- Src only
# tcpdump -i eth0 src host 192.168.1.1

- Dest only
# tcpdump -i eth0 dst host 192.168.1.1

Filtering ports :
—————–

- Any traffic involving port 80
# tcpdump -i eth0 port 80

- Src port 80
# tcpdump -i eth0 src port 80

- Dest port 80
# tcpdump -i eth0 dst port 80

Network filtering :
——————-

# tcpdump -i eth0 net 192.168

# tcpdump -i eth0 src net 192.168

# tcpdump -i eth0 dst net 192.168

Protocol filtering :
——————–

# tcpdump -i eth0 arp

# tcpdump -i eth0 ip

# tcpdump -i eth0 tcp

# tcpdump -i eth0 udp

# tcpdump -i eth0 icmp

Putting it together :
—————————

Negation : ! or NOT

Concatanate : && or AND

Alternate : || or OR

# tcpdump -i eth0 ‘((tcp) and (port 25) and ((dst host 192.168.1.10) or (dst host 192.168.1.11)))’

# tcpdump -i eth0 ‘((icmp) and ((ether src host 01:23:45:67:89:10)))’

# tcpdump -i eth0 ‘((udp) and ((dst net 192.168) and (not dst host 192.168.1.1)))’

Advanced header filtering :
===========================

proto[x:y] : will start filtering from byte x for y bytes. ip[2:2] would filter bytes 3 and 4 (first byte begins by 0)
proto[x:y] & z = 0 : will match bits set to 0 when applying mask z to proto[x:y]
proto[x:y] & z != 0 : some bits are set when applying mask z to proto[x:y]
proto[x:y] & z = z : every bits are set to z when applying mask z to proto[x:y]
proto[x:y] = z : p[x:y] has exactly the bits set to z

Operators : >, <, >=, <=, =, !=

IP Options set?
-----------------------------

usually 01000101 in binary

0100 = 4 in decimal. This is the IP version.
0101 = 5 in decimal. This is the number of blocks of 32 bits in the headers.

0100 0101 : 1st byte originally
0000 1111 : mask (0x0f in hex or 15 in decimal). 0 will mask the values while 1 will keep the values intact.
=========
0000 0101 : final result

The filter :

# tcpdump -i eth0 'ip[0] & 15 > 5′

or

# tcpdump -i eth0 ‘ip[0] & 0x0f > 5′

Matching datagrams with low TTL
——————————-

Find someone on network using traceroute using this filter on the gateway
# tcpdump -i eth0 ‘ip[8] < 5'

Matching packets longer than X bytes
------------------------------------

X is 600 bytes

# tcpdump -i eth0 'ip[2:2] > 600′

TCP
———-

- Matching TCP traffic with source port > 1024
# tcpdump -i eth0 ‘tcp[0:2] > 1024′

- Matching TCP traffic with particular flag combinations

The flags are defined in the 14th byte of the TCP header.

- Match packets with only the SYN flag set, the 14th byte would be 00000010
# tcpdump -i eth0 ‘tcp[13] = 2′

- Matching SYN, ACK – 00010010
# tcpdump -i eth0 ‘tcp[13] = 18′

- Matching ACK – 00010000
# tcpdump -i eth0 ‘tcp[13] = 16′

- Matching PSH-ACK
# tcpdump -i eth0 ‘tcp[13] = 24′

- Matching any combination containing FIN
# tcpdump -i eth0 ‘tcp[13] & 1 = 1′

- Matching any combination containing RST
# tcpdump -i eth0 ‘tcp[13] & 4 = 4′

Matching SMTP data :
——————–

Match any packet containing “MAIL” from SMTP

“MAIL” in hex is 0x4d41494c

# tcpdump -i eth0 ‘((port 25) and (tcp[20:4] = 0x4d41494c))’
This rule would not match packets with IP options set.

Matching HTTP data :
——————–

Match GET requests
The HTTP request will begin by :

GET / HTTP/1.1\r\n

If no IP options are set.. the GET command will use the byte 20, 21 and 22

“GET ” in hex : 47455420

# tcpdump -i eth0 ‘tcp[20:4] = 0×47455420′

UDP header
———-

# tcpdump -i eth0 udp dst port 53

ICMP header
———–

Filter ICMP messages type 4
# tcpdump -i eth0 ‘icmp[0] = 4′

ICMP echo replies only, having an ID of 500
# tcpdump -i eth0 ‘(icmp[0] = 0) and (icmp[4:2] = 0x1f4)’