Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Understanding Tcpdump filter & bit-masking

I am trying to sniff the http headers by using tcpdump.

This filter works well but I can't understand it -

(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)

I've googled it but I can't find any useful info

Here is the whole tcpdump command

sudo tcpdump -A 'dst [dest host] or src [src host]  and tcp  and 
(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -i eth0
like image 848
kingasmk Avatar asked Aug 01 '12 10:08

kingasmk


People also ask

How do I read tcpdump results?

The "-r" option lets you read the output of a file. All you have to do is use the "-r" option with tcpdump command and specify the path of the file you want to read.

What is tcpdump filter?

expression selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expres sion is `true' will be dumped. ber) preceded by one or more qualifiers.

How do I filter IP tcpdump?

To filter on TCP and UDP ports, use the port directive. This captures both TCP and UDP traffic using the specified port either as a source or destination port. It can be combined with tcp or udp to specify the protocol, and src or dst to specify a source or destination port.

How do I Analyse a tcpdump file?

tcpdump allows you to examine the headers of the TCP/IP packets. It prints one line for each packet, and command keeps running until you press Ctrl+C to terminate. TCP Flags ( Flags [F.] ). Flags indicate the state of the connection.


1 Answers

It's not the BPF filter that gets http headers but the "-A" switch on your tcpdump command.

Your tcpdump command looks for tcp traffic to certain destination or from a certain source on eth0 where the final BPF filter involves a calculation that results in a non-zero total. With the "-A" option, it prints each packet in ASCII minus its link level header.

I've explained the calculation below but I believe there's some issues in the actual filter, possibly through copying and pasting. When you use these filters in tcpdump, you're using tcp bit-masking, which is typically used when examining fields that do not fall on byte boundaries

  • ip[2:2] refers to the two bytes (i.e. 3rd & 4th bytes) in the IP header, beginning at byte 2 (remember it starts at offset 0). This total represents the total length of the IP packet which can be a maximum of 65535 bytes.

For the bitmask here, for clarity, I've pre-pended a '0' so mask 0xf becomes 0x0f. The leading '0' on the mask is dropped as per the comment from GuyHarris below.

  • ip[0]&0x0f refers to the second half of byte 0 (i.e. the 1st byte) in the IP header, which will give you the IP header length in 32 bit words and as such, this is typically multiplied by 4 for such a calculation.

  • tcp[12]&0xf0) refers to the first half of byte 12 (i.e. the 11th byte), which is the data offset field, which specifies the size of the TCP header in 32-bit words and as such, this is typically multiplied by 4 for such a calculation.

You need to multiply the last 2 lengths by 4 because they are 32 bit/4 byte words and so need be translated to a total in bytes for the calculation to be correct

Your filter should be calculating:

  • The IP packet length (in bytes) - The IP header length - The TCP Header Length

and looking for that value to be zero, i.e. something like this

sudo tcpdump -A -nnpi eth0 '(ip[2:2] - ((ip[0]&0x0f)*4) - ((tcp[12]&0xf0)*4) != 0)'

When you perform the subtraction, you're looking for a non-zero total. This non-zero total means that there's data above layer 4, i.e. data in the tcp payload, typically application traffic.

You may also want to add port 80 assuming most http traffic is over port 80.

Such a filter is commonly used by security folk to detect data on a SYN, which is not normal but according to the RFCs, it is allowed. so the whole thing would look something like -

'tcp[13]=0x02 and (ip[2:2] - ((ip[0]&0x0f)*4) - ((tcp[12]&0xf0)*4) != 0)'

TCPIPGuide is a very good, free online guide on TCP/IP btw.

Updated: Modify the 'leading zero' section on the bitmask as per the update from Guy Harris.

like image 123
Mark Hillick Avatar answered Sep 20 '22 05:09

Mark Hillick