Packet Filtering Techniques
Packet filtering is an important skill when capturing and managing large network dumps. There are several tools and techniques used to simplify searching and extraction of useful data from captured data.
TCPDUMP
tcpdump can be configured to only capture traffic according to specified filter. To include a filter append a quoted filter string in the command line. Here is a simple example to capture LIVE packets coming to and from 192.168.1.10:
tcpdump -i eth0 -ttttnn "host 192.168.1.10"In case you need to filter a previously saved pcap file (e.g. produced by tcpdump -w capture.pcap -s 1550), you can utilize -r flag combined with the same filter:
tcpdump -r capture.pcap "host 192.168.1.10"It is recommended to use the following commandline to speed up reading existing pcap files. This will clean up the timestamp and avoid name resolution:
tcpdump -ttttnnr capture.pcap "host 192.168.1.10tcpdump man pages include complete filter syntax; however, here are some of the more useful ones:
Specifying hosts
host 192.168.1.10 - capture traffic with source or
destination is 192.168.1.10
dst host 192.168.1.10 - capture traffic with destination
host is 192.168.1.10
src host 192.168.1.10 - capture traffic where source
is 192.168.1.10Specifying networks
net 192.168.1.0/24 - capture traffic to or from 192.168.1.0/24
dst net 192.168.1.0 mask 255.255.255.0 - capture traffic destined
for 192.168.1.0/24 network
src net localnet - capture traffic coming from local network
networkSpecifying ports
port 80 - capture traffic to or from port 80 (www)
dst port www - capture traffic going to port 80 (www)
src port www - capture traffic coming from port 80 (www)Specifying a range of ports
portrange 20-25 - capture traffic to or from port range 20 to
25. Note that either dst or src ports need
to be in the range for packet to be captures
e.g. source port 22 and destination port
50000 will be captured. dst portrange 80-1024 - capture traffic going to ports 80-1024 src portrange 40000-50000 - capture traffic coming from ports 40k - 50k
Specifying protocols
tcp - capture TCP traffic
udp - capture UDP traffic
icmp - capture ICMP traffic
arp - capture ARP trafficCombining multiple primitives
dst port 80 or dst host 192.168.1.10 - capture traffic going to port
80 or to 192.168.1.10
dst port 80 and (src host 192.168.1.11 or src host 192.168.1.12) - capture traffic going to port 80 and coming from either 192.168.1.11 or 192.168.1.12 not dst port 80 and not dst host 192.168.1.10 - skip traffic destined for port 80 or 192.168.1.10
Byte Offset Filtering
icmp[0]=8 or icmp[0]=0 – look at the first byte of ICMP packets and capture types 8(echo) and 0(echo reply) tcp[0:2]=80 and tcp[13]=0x02 – capture packets coming from port 80 (first 2 bytes) with SYN flag (0x02) tcp[13] & 0x02 = 2 – capture packets with SYN flag present (other flags could also exist like 0x12 SYN-ACK will work). By anding tcp[13] with a mask 0x02 you drop all elements except the second bit from the right. Next you compare it with a value of 0x02 which has 2nd bit set to find out if the original bit was set in the first place.
TSHARK
tshark improves on already existing tcpdump by introducing smarter filters, full protocol dissection, tracking state, and other enhancements. tshark includes two unique filtering mechanisms. Capture filter (-f) uses standard libpcap filters as described in the tcpdump section. Read filter (-R)
Viewing custom fields
tshark –i eth0 –n –tad –T fields –e ip.src –e tcp.srcport –e ip.dst –e tcp.dstportThe above command with display source host, source tcp port, destination host, and destination port
Capture filter
tshark – I eth0 –n –tad –f “tcp dst port 80”The above command will only capture tcp traffic going to port 80. See TCPDUMP for complete documentation.
Read (Display) Filter
Read filters allow a lot more flexibility and power compared to libpcap filters. However, due to performance considerations you should not rely completely on read filters as they perform complete packet dissection. Instead use read filters for fine tuning. Below is an example to display all traffic to or from 192.168.1.10:
tshark –n –R “ip.addr==192.168.1.10”Specifying hosts
ip.addr==192.168.1.10 - capture traffic with source or destination is 192.168.1.10 ip.dst eq 192.168.1.10 - capture traffic with destination host is 192.168.1.10 (you can use eq is ==) ip.src==192.168.1.10 - capture traffic with source is 192.168.1.10
Specifying networks
ip.addr eq 192.168.1.0/24 - capture traffic to or from 192.168.1.0/24 network ip.dst eq 192.168.1.0/24 - capture traffic destined for 192.168.1.0/24 network ip.src eq 192.168.1.0/24 - capture traffic coming from 192.168.1.0/24 network
Specifying ports
tcp.port == 80 - capture traffic to or from port 80 (www) tcp.dstport == 80 - capture traffic going to port 80 (www) tcp.srcport == 80 - capture traffic coming from port 80 (www)Specifying a range of ports
tcp.port >= 20 and tcp.port <=25 - c Note that either dst or src ports need to be in the range for packet to be captures e.g. source port 22 and destination port 50000 will be captured. tcp.dstport >= 80 and tcp.dstport <= 1024 - capture traffic going to ports 80-1024 tcp.srcport ge 40000 and tcp.srcport le 50000 - capture traffic coming from ports 40k - 50k. Note the use of ge and le instead of >= and <= respectively.
Specifying protocols
tcp - capture TCP traffic
udp - capture UDP traffic
icmp - capture ICMP traffic
arp - capture ARP trafficCombining multiple primitives
tcp.dstport == 80 or ip.dst == 192.168.1.10 - capture traffic going to port 80 or to 192.168.1.10 tcp.port == 80 and not (ip.src == 192.168.1.11 or ip.src == 192.168.1.12) - capture traffic going to port 80 and NOT coming from either 192.168.1.11 or 192.168.1.12 !(ip.addr == 192.168.1.10) && !(tcp.port == 80) - skip traffic destined for port 80 or 192.168.1.10 (do not use != notation since ip.addr and tcp.port will attempt to match either src or dst fields so you will receive unexpected results).
Advanced Filters
tshark –T fileds –e ip.dst –e http.request.uri –R “http.request.method == \”GET\” – will display all requested URIs when HTTP method GET is used.
tshark –R “tcp.flags.syn == 1” – capture packets which have SYN flag on
tshark –T fields –e http.cookie –R “http and http.cookie[0:4] == \”PREF\”” – display all http cookies where a slice of first four bytes is “PREF”
tshark –T fields –e http.cookies –R “http and http.cookie[-20:20] contains \”GMAIL\”” – match last 20 characters for the presence of GMAIL keyword.
tshark –T fields –e http.cookies –R “frame[100:] contains \”GMAIL\” -d tcp.port=1234,http – match entire frame for the presence of keyword “GMAIL” and interpret as HTTP running on a nonstandard port 1234
tshark –T fields –e http.cookie –R “http and lower(http.cookie) contains \”pref\”” – display all http cookies which contain keyword pref. You can use lower() and upper() to create case insensitive matches.
tshark –T fields –e http.cookies –R “http and http.cookie matches \”^PREF.*MAIL\”” – display all http cookies which begin with keyword PREF and contain keyword MAIL. Use PREG syntax when using matches keyword.WIRESHARK/TSHARK UTILITIES
Wireshark suite includes a number of command line utilities useful for packet filtering.
editcap is a powerful editing utility which can read, edit, and save resultant packet captures in a variety of formats including pcap. Here are a few use cases for this tool:editcap –A “2008-10-08 09:00:00” –B “2008-10-08 10:00:00” input.pcap output.pcap
output.pcap file will be created containing all packets within the range.
editcap –r –A “2008-10-08 09:00:00” –B “2008-10-08 10:00:00” input.pcap output2.pcapoutput2.pcap will contain all packets EXCEPT the range specified above.
editcap –r input.pcap output.pcap 1-10 90-100The above will extract packets 1–10 and 90–100 (inclusive) and store them in output.pcap
editcap input.pcap output.pcap 1-10 90-100The above will save all packets from input.pcap except 1–10 and 90–100 into output.pcap
Split large captures
editcap –c 1000 input.pcap split.pcapOne or more pcap files will be created called split.pcap-0000, split.cap-0001, etc. Each chunk will contain at most 1000 packets.
Merge multiple captures
mergecap –w big.pcap small-1.pcap small-2.pcap small-3.pcap
