tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: understanding filtering

From: Guy Harris <guy () netapp com>
Date: Mon, 16 Dec 2002 22:39:11 -0800
On Mon, Dec 16, 2002 at 08:45:46PM -0500, Sam Carleton wrote:

My first exposure to pcap was through the program snort.  Being a C/C++
Windows programmer, I would like to have a bit more control over the info
I would like to capture.  Thus I am now looking into pcap as the engine
for my packet capture program.  

The only thing I am scratching my head about is the filtering.  I need to
filter based on content, the first two bites of the packet, not the addr
or even port.  Can I create a rule for pcap that will filter based on
content?


Yes:

hostname$ man tcpdump

TCPDUMP(1)                User Commands                TCPDUMP(1)

NAME
     tcpdump - dump traffic on a network

        ...

      expression
          selects which packets will be dumped.  If no expression
          is  given, all packets on the net will be dumped.  Oth-
          erwise, only packets for  which  expression  is  `true'
          will be dumped.

          The expression consists  of  one  or  more  primitives.

                ...

          In addition to the above, there are some special `prim-
          itive'  keywords  that don't follow the pattern:  gate-
          way, broadcast, less, greater  and  arithmetic  expres-
          sions.  All of these are described below.

          More complex filter expressions are built up  by  using
          the words and, or and not to combine primitives.  E.g.,
          `host foo and not port ftp and not port ftp-data'.   To
          save  typing, identical qualifier lists can be omitted.
          E.g., `tcp dst port  ftp  or  ftp-data  or  domain'  is
          exactly  the  same as `tcp dst port ftp or tcp dst port
          ftp-data or tcp dst port domain'.

          Allowable primitives are:

                ...

          expr relop expr
               True if the relation holds, where relop is one  of
               >,  <,  >=,  <=,  =, !=, and expr is an arithmetic
               expression   composed   of    integer    constants
               (expressed  in  standard  C  syntax),  the  normal
               binary operators [+, -, *,  /,  &,  |],  a  length
               operator,  and  special packet data accessors.  To
               access data inside the packet, use  the  following
               syntax:
                    proto [ expr : size ]
               Proto is one of ether, fddi, ip, arp,  rarp,  tcp,
               udp, or icmp, and indicates the protocol layer for
               the index operation.  The byte offset, relative to
               the  indicated  protocol  layer, is given by expr.
               Size is optional and indicates the number of bytes
               in  the  field  of interest; it can be either one,
               two, or four, and defaults  to  one.   The  length
               operator,  indicated by the keyword len, gives the
               length of the packet.

               For example, `ether[0] & 1 != 0' catches all  mul-
               ticast traffic.  The expression `ip[0] & 0xf != 5'
               catches all IP packets with options.  The  expres-
               sion  `ip[6:2]  & 0x1fff = 0' catches only unfrag-
               mented  datagrams  and  frag  zero  of  fragmented
               datagrams.   This  check  is implicitly applied to
               the tcp and udp index operations.   For  instance,
               tcp[0]  always  means  the  first  byte of the TCP
               header, and never  means  the  first  byte  of  an
               intervening fragment.

so as long as you're testing bytes at *fixed offset* from the beginning
of the link-layer (e.g., Ethernet), network layer (e.g., IP), or
transport layer (e.g., TCP) header, the libpcap filter syntax can handle
it.

Note, however, that the length of the TCP header is not necessarily
fixed length, as it might have options, so if you want to, for example,
filter based on the content of the TCP payload *and* you want it to
handle TCP packets with options, you'd have to construct the BPF filter
code yourself.


The other thing I need a bit of help with is the flags.  I understand the
basics, but I have never done any heavy dude IP programming.  The snort
rule I have contains "flags:AP+".  From looking at the snort docs, that 
means ACK, PSH, and "ALL flag, match on all specified flags plus any 
others".  Would not simply have a + get the same thing done?


That is not a valid libpcap filter expression.

With older versions of libpcap, you would have to test the appropriate
byte of the TCP header by hand; see RFC 793 to see what byte, and what
bits, that is.

With newer versions of libpcap, you can test some bits by name:

               Some offsets and field values may be expressed  as
               names  rather than as numeric values.  The follow-
               ing protocol header field offsets  are  available:
               icmptype  (ICMP  type  field), icmpcode (ICMP code
               field), and tcpflags (TCP flags field).

                        ...

               The following TCP flags field  values  are  avail-
               able:  tcp-fin,  tcp-syn,  tcp-rst, tcp-push, tcp-
               push, tcp-ack, tcp-urg.

                        ...

EXAMPLES

     To print the start and end packets (the SYN and FIN packets)
     of each TCP conversation that involves a non-local host.
          tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

If you want that on Windows, you'd need, I think, WinPcap 3.0 alpha - I
think 2.3 was based on a version of libpcap that didn't have those
symbolic names.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: