I am trying to sniff the http headers by using tcpdump.
This filter works well but I can't understand it -
(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
I've googled it but I can't find any useful info
Here is the whole tcpdump command
sudo tcpdump -A 'dst [dest host] or src [src host] and tcp and
(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -i eth0
The "-r" option lets you read the output of a file. All you have to do is use the "-r" option with tcpdump command and specify the path of the file you want to read.
expression selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expres sion is `true' will be dumped. ber) preceded by one or more qualifiers.
To filter on TCP and UDP ports, use the port directive. This captures both TCP and UDP traffic using the specified port either as a source or destination port. It can be combined with tcp or udp to specify the protocol, and src or dst to specify a source or destination port.
tcpdump allows you to examine the headers of the TCP/IP packets. It prints one line for each packet, and command keeps running until you press Ctrl+C to terminate. TCP Flags ( Flags [F.] ). Flags indicate the state of the connection.
It's not the BPF filter that gets http headers but the "-A" switch on your tcpdump command.
Your tcpdump command looks for tcp traffic to certain destination or from a certain source on eth0 where the final BPF filter involves a calculation that results in a non-zero total. With the "-A" option, it prints each packet in ASCII minus its link level header.
I've explained the calculation below but I believe there's some issues in the actual filter, possibly through copying and pasting. When you use these filters in tcpdump, you're using tcp bit-masking, which is typically used when examining fields that do not fall on byte boundaries
ip[2:2]
refers to the two bytes (i.e. 3rd & 4th bytes) in the IP header, beginning at byte 2 (remember it starts at offset 0). This total represents the total length of the IP packet which can be a maximum of 65535 bytes.For the bitmask here, for clarity, I've pre-pended a '0' so mask 0xf
becomes 0x0f
. The leading '0' on the mask is dropped as per the comment from GuyHarris below.
ip[0]&0x0f
refers to the second half of byte 0 (i.e. the 1st byte) in the IP header, which will give you the IP header length in 32 bit words and as such, this is typically multiplied by 4 for such a calculation.
tcp[12]&0xf0)
refers to the first half of byte 12 (i.e. the 11th byte), which is the data offset field, which specifies the size of the TCP header in 32-bit words and as such, this is typically multiplied by 4 for such a calculation.
You need to multiply the last 2 lengths by 4 because they are 32 bit/4 byte words and so need be translated to a total in bytes for the calculation to be correct
Your filter should be calculating:
and looking for that value to be zero, i.e. something like this
sudo tcpdump -A -nnpi eth0 '(ip[2:2] - ((ip[0]&0x0f)*4) - ((tcp[12]&0xf0)*4) != 0)'
When you perform the subtraction, you're looking for a non-zero total. This non-zero total means that there's data above layer 4, i.e. data in the tcp payload, typically application traffic.
You may also want to add port 80
assuming most http traffic is over port 80.
Such a filter is commonly used by security folk to detect data on a SYN, which is not normal but according to the RFCs, it is allowed. so the whole thing would look something like -
'tcp[13]=0x02 and (ip[2:2] - ((ip[0]&0x0f)*4) - ((tcp[12]&0xf0)*4) != 0)'
TCPIPGuide is a very good, free online guide on TCP/IP btw.
Updated: Modify the 'leading zero' section on the bitmask as per the update from Guy Harris.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With