Wednesday, November 25, 2009

Tcpdump filters

for those that don't know, tcpdump is a commandline packet analyzer (Sniffer) that can perform live packet analysis. With tcpdump you can filter the traffic so not all traffic is parsed or logged. Many programs and sniffers tend to follow tcpdumps filter syntax for its popularity and ease of use. Below or some examples of tcpdump filters taken from "http://acs.lbl.gov/~jason/tcpdump_advanced_filters.txt":

Filtering hosts :
-----------------

- Match any traffic involving 192.168.1.1 as destination or source
# tcpdump -i eth1 host 192.168.1.1

- As source only
# tcpdump -i eth1 src host 192.168.1.1

- As destination only
# tcpdump -i eth1 dst host 192.168.1.1

Other:
# tcpdump src net 67.207.148.0 mask 255.255.255.0
# tcpdump src net 67.207.148.0/24

Filtering ports :
-----------------
- Match any traffic involving port 25 as source or destination
# tcpdump -i eth1 port 25

# tcpdump -n portrange 22-23

- Source
# tcpdump -i eth1 src port 25

- Destination
# tcpdump -i eth1 dst port 25


Network filtering :
-------------------

# tcpdump -i eth1 net 192.168
# tcpdump -i eth1 src net 192.168
# tcpdump -i eth1 dst net 192.168


Protocol filtering :
--------------------

# tcpdump -i eth1 arp
# tcpdump -i eth1 ip

# tcpdump -i eth1 tcp
# tcpdump -i eth1 udp
# tcpdump -i eth1 icmp


Let's combine expressions :
---------------------------

Negation : ! or "not" (without the quotes)
Concatanate : && or "and"
Alternate : || or "or"

- This rule will match any TCP traffic on port 80 (web) with 192.168.1.254 or 192.168.1.200 as destination host
# tcpdump -i eth1 '((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.200)))'

- Will match any ICMP traffic involving the destination with physical/MAC address 00:01:02:03:04:05
# tcpdump -i eth1 '((icmp) and ((ether dst host 00:01:02:03:04:05)))'

- Will match any traffic for the destination network 192.168 except destination host 192.168.1.200
# tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host 192.168.1.200)))'

Resources/Good reading:
http://acs.lbl.gov/~jason/tcpdump_advanced_filters.txt
http://www.alexonlinux.com/tcpdump-for-dummies#packet_filtering

No comments:

Post a Comment