Tcpdump patterns: Difference between revisions
From TykWiki
Jump to navigationJump to search
| Line 35: | Line 35: | ||
tcpdump port 53 and 'udp[11] & 8 = 0' and 'udp[11] & 4 = 0' and 'udp[11] & 2 = 2' and 'udp[11] & 1 = 0' | tcpdump port 53 and 'udp[11] & 8 = 0' and 'udp[11] & 4 = 0' and 'udp[11] & 2 = 2' and 'udp[11] & 1 = 0' | ||
</pre> | </pre> | ||
Explanation: A bit of backgound information on UDP and DNS packets is neccesary for this: | |||
* The UDP packet header is 8 bytes and tcpdump is counting from zero, so the DNS packet header begins at "byte number 8" in tcpdump match syntax. See [http://www.ietf.org/rfc/rfc768.txt RFC768] for more on UDP packet characteristics. | |||
* According to [http://www.ietf.org/rfc/rfc1035.txt rfc1035] (section 4.1.1, page 25), the two first bytes ("number 8 and 9" in tcpdump match syntax) in the DNS header is the transaction ID. | |||
* The next two bytes ("number 10 and 11" in tcpdump match syntax) make up the flags for the DNS packet, for the purpose of matching ServFail responses I need to check the RCODE which is in the four low bits of the second of the two bytes. | |||
So: I need to check the four low bits in byte number 11. | |||
According to [http://www.ietf.org/rfc/rfc1035.txt rfc1035] (section 4.1.1, page 26), an RCODE of 2 (thats binary 0010 in the four low bits of byte 11) means ServFail. | |||
Binary xxxx0010 (meaning that I don't care what the four high bits are, I only care that the four low bits are exactly 0010) can be matched with tcpdump by using a '''bit-by-bit binary AND against a bitmask'''. This basically means: | |||
* If I wanted the third-lowest bit of byte 11 (couting from 0) to be 0 in matched packets, thats decimal 4 binary 100, I would add 'udp[11] & 4 = 0' to the tcpdump pattern. | |||
* If I wanted the fourth-lowest bit byte 11 (couting from 0) to be 1 in matched packets, thats decimal 8 binary 1000, I would add 'udp[11] & 8 = 1' to the tcpdump pattern. | |||
The pattern in the example to match ServFail responses above matches '''all four low bits in byte 11 of the UDP packet, and makes sure they are exactly 0010'''. | |||
== Links == | |||
See [http://acs.lbl.gov/~jason/tcpdump_advanced_filters.txt this page] for much more on bit matching with tcpdump. | |||
Revision as of 13:25, 2 August 2009
On http://danielmiessler.com/study/tcpdump_recipes/ I found this nice list:
Show me all URG packets: # tcpdump 'tcp[13] & 32 != 0' Show me all ACK packets: # tcpdump 'tcp[13] & 16 != 0' Show me all PSH packets: # tcpdump 'tcp[13] & 8 != 0' Show me all RST packets: # tcpdump 'tcp[13] & 4 != 0' Show me all SYN packets: # tcpdump 'tcp[13] & 2 != 0' Show me all FIN packets: # tcpdump 'tcp[13] & 1 != 0' Show me all SYN-ACK packets: # tcpdump 'tcp[13] = 18'
Matching DNS Traffic
To show incoming nsupdate queries run the following:
tcpdump port 53 and 'udp[10] = 0x28'
To show ServFail replies run the following:
tcpdump port 53 and 'udp[11] & 8 = 0' and 'udp[11] & 4 = 0' and 'udp[11] & 2 = 2' and 'udp[11] & 1 = 0'
Explanation: A bit of backgound information on UDP and DNS packets is neccesary for this:
- The UDP packet header is 8 bytes and tcpdump is counting from zero, so the DNS packet header begins at "byte number 8" in tcpdump match syntax. See RFC768 for more on UDP packet characteristics.
- According to rfc1035 (section 4.1.1, page 25), the two first bytes ("number 8 and 9" in tcpdump match syntax) in the DNS header is the transaction ID.
- The next two bytes ("number 10 and 11" in tcpdump match syntax) make up the flags for the DNS packet, for the purpose of matching ServFail responses I need to check the RCODE which is in the four low bits of the second of the two bytes.
So: I need to check the four low bits in byte number 11.
According to rfc1035 (section 4.1.1, page 26), an RCODE of 2 (thats binary 0010 in the four low bits of byte 11) means ServFail.
Binary xxxx0010 (meaning that I don't care what the four high bits are, I only care that the four low bits are exactly 0010) can be matched with tcpdump by using a bit-by-bit binary AND against a bitmask. This basically means:
- If I wanted the third-lowest bit of byte 11 (couting from 0) to be 0 in matched packets, thats decimal 4 binary 100, I would add 'udp[11] & 4 = 0' to the tcpdump pattern.
- If I wanted the fourth-lowest bit byte 11 (couting from 0) to be 1 in matched packets, thats decimal 8 binary 1000, I would add 'udp[11] & 8 = 1' to the tcpdump pattern.
The pattern in the example to match ServFail responses above matches all four low bits in byte 11 of the UDP packet, and makes sure they are exactly 0010.
Links
See this page for much more on bit matching with tcpdump.
