Writing tcpdump Filters

4 Foundations For Understanding tcpdump Filters • Specify item of interest for record selection • Any field in the IP datagram • Examples: header length or TCP flags • Variables for mo

Writing tcpdump Filters

All material Copyright  Novak, 2000, 2001 All rights reserved

2

Writing tcpdump Filters

• Introduction to tcpdump

• Writing tcpdump Filters

• Examination of Datagram Fields

• Beginning Analysis

• Real World Examples

• Step by Step Analysis

This page intentionally left blank

Objectives

• Review the foundations to understand and create

tcpdump filters including:

• tcpdump filter format

• Review of bit/byte theory

• Review of binary/hexadecimal numbering

systems

• Review of bit masking

• Learning to formulate tcpdump filters

• Review of tcpdump output

tcpdump filters are necessary to selectively gather/read records of network traffic

While this section may be somewhat difficult to understand especially if you haven’t been exposed

to this theory before, it is more than just an academic exercise In order to comprehend network traffic at its most visceral level, you will have to understand tcpdump filters Also, familiarity with tcpdump filters is necessary if you want to process tcpdump files for some trait For instance, if you wanted to identify the beginning of a TCP connection, you would search for traffic with the SYN bit alone set

4

Foundations For Understanding

tcpdump Filters

• Specify item of interest for record selection

• Any field in the IP datagram

• Examples: header length or TCP flags

• Variables for more commonly used fields:

• Examples: “port” or “host”

• Less common fields:

tcpdump provides a special name for each type of header Much as you would expect, ip is used to denote a field in the IP header or data portion of the IP datagram, tcp for a field in the TCP header or segment, udp for the UDP header or UDP datagram, and ICMP for the ICMP message

For instance, ip[0] would indicate the first byte offset of the IP datagram which happens to be part of the IP header (remember counting starts at 0) tcp[13] would be the 13th byte offset into the TCP segment which is also part of the TCP header, and icmp[0] would be the first byte offset of the ICMP message which is the ICMP message type

Sample filters and reference material are found in:

• tcpdump man pages

Specifying Fields

20 bytes

4-bit 4-bit IP 8-bit TOS 16-bit total length (in bytes) version header

length

16-bit IP identification number 3-bit

flags 13-bit fragment offset

8-bit time to live (TTL)

8-bit protocol 16-bit header checksum

32-bit source IP address

32-bit destination IP address

What are some of the more common macros used in filters?

net select the record if either the source or destination subnet matches

This is useful if there are several IP’s from the same subnet of interest to you

port select the record if either the source or destination port matches

src host select the record if the source host matches

dst host select the record if the destination host matches

src net select the record if the source subnet matches

dst net select the record if the destination subnet matches

src port select the record if the source port matches

dst port select the record if the destination port matches

6

The tcpdump Filter Format

• The two different formats for a tcpdump filter are:

• <protocol header> [offset: length] <relation> <value>

ip[9] = 1 tcp[2:2] < 20 udp[4:2] != 0 icmp[0] = 8

• <variable> <value>

port 23 dst host 1.2.3.4 src net 0

The first filter ip[9] = 1 selects any record with the IP protocol of 1 (ICMP)

The second filter tcp[2:2] selects any record with a TCP destination port less than 20

The third filter udp[4:2] selects any UDP record with a non-zero UDP length

The fourth filter selects any record with an ICMP message type of 8, an ICMP echo request.The first variable filter selects any record with source/destination port of 23 (telnet)

The second variable filter selects any record with destination host 1.2.3.4

The third variable filter selects any record with a source subnet of 0.x.x.x

Bit/Byte Fundamentals

• A byte is an 8 bit field

• It is possible to denote a span of bytes, i.e

4 bit 4 bit 8 bit TOS 16 bit IP total

length version length

The bit is the smallest unit that can be represented by a computer - it can have a value of either 0 or 1 A byte is composed of 8 bits Byte counting begins at byte 0; all successive bytes fall on these 8 bit

boundaries udp[0:2] specifies the byte in the UDP datagram beginning at byte 0 for a length of two bytes

Bit masking or using a combination of boolean arithmetic and binary/hexadecimal values will help “isolate” bits

8

Decimal/Binary Representations

Base 10 Arithmetic - Decimal

The same theory applies when we are dealing with binary or base 2 Instead of using exponents of 10, we use exponents of 2 to figure out the decimal representation of the number Also, because we are talking in terms of a byte, we use 8 bits or binary digits to represent a byte So, we see above how we convert the binary number of 10000001 to a decimal 129

81 hex = 8x16 1 + 1x16 0 = 129

If you consider a byte as two hexadecimal characters, each character will be 4 bits long So 16 different hex values can be represented - if all bits of a 4-bit chunk (nibble) are turned on or set to 1 the maximum value will be 15 (8 + 4 + 2 + 1) Counting in hex goes from 0 to 9, 10 = a, 11 = b, 12 = c, 13 = d, 14 =e,

15 = f

The leftmost bits are called the high-order bits - they have the most value, whereas the rightmost bits are referred to as the low-order bits The same holds true for bytes; the left most are known as high-order bytes and right most are known as low-order bytes

Remember from arithmetic that any number with an exponent of 0 is 1

Figuring Out Decimal Values

for Hex Output

Use reference to discover where fields start and end Each character in the hex output is a power of 16 Start at the rightmost character and increase power of 16 Multiply by base number by exponent, add all values First 8 bytes of hexadecimal output of a UDP header

The first thing that you need to do is to identify what you are looking at Most of the time when you look

at hex output, it will be the entire datagram In this case, for demonstration purposes, we will take an excerpt of the datagram This is the first 8 bytes of the UDP header You’ll need to use some reference, such as TCP/IP Illustrated, Volume1 by Richard Stevens or the references at the back of the course to identify the fields in the UDP header Remember that each character that you see in the output is one hex character (4 bits) so there are 2 hex characters in a byte You’ll discover that there is a 16-bit source port,

a 16-bit destination port, a 16-bit UDP length and a 16-bit checksum in the UDP header Coincidentally, these are all 2 byte fields – or 4 hex characters You see that we divide up the hex output accordingly

Next, start with the rightmost hex character and label that with an exponent of 160 For each hex

character associated with that field, move left and increase the power of 16 until you hit the leftmost character in the field Then, multiply the base by the exponent above it and add all the values

Using the source port 0089 as an example, we start with the rightmost character and label it 160 Next,

we only have one more character that is non-zero and we label that as 161 Now, we multiply the rightmost character 9 by 160(anything to the 0 power is 1) and get a result of 9 Then we multiply the next character 8 by 161(or 16) and get 128 Adding 128 and 9, we arrive at 137 which is the source port typically associated with NetBIOS name service queries

Use the reference pages at the end of the course to figure out

what the 16-bit total length is in decimal

Figure out the decimal value of the 16-bit total length Use the reference materials at the end of this course to find a layout of the IP header and where the 16-bit total length falls in the IP header Once you’ve discovered that field, use the methods discussed to figure out the decimal equivalent of the hex value

16-bit total length

The first thing we do is look at the layout for the IP header The 16-bit total length field is found in the 2ndand 3rdbytes offset from the IP header (counting starts at 0) We find a value of 0030 in these 2 bytes So, we methodically label all the the hex digits in this field as powers of 16 starting at the rightmost digit 0 Because we only have one non-zero value in the IP length field, we really only need to figure out its value

The non-zero value of 3 is located in the 161position So, we simply multiply 3*16 and discover that the IP length is 48 bytes

14

The Problem: Looking at Fields Less Than a Byte

Layout of first byte

4 bit IP version 4 bit header length

0 1 0 0

0 0 0 0

We run into a slight problem when we deal with fields in an IP datagram that are less than a byte in length The first byte of the IP header is actually two different fields – a 4 bit IP version and a 4 bit header length If we use the protocol[displacement] notation, ip[0] finds both fields What if we wanted to look at the 4 bit IP header length only and we were not interested in the 4 bit IP version?

There is really no simple operation that is native to the tcpdump “language” that allows us to do this But, we can do some operations and manipulations of fields and bits that will allow us to look at the

4 bit header length only In essence, if we can zero out or change all the bits in the IP version field

to 0, we really are looking at just the 4 bit header length if we look at ip[0] How exactly do we discard or zero-out this high-order nibble and preserve the low-order nibble found in the 4 bit header length? This is what we will discuss next

More Fundamentals

• Individual bit or a range of bits selected by bit

masking

• Uses the boolean AND operation to keep or

discard a bit(s)

• Two bits are AND’ed; the following values yield

the following results

0 0 0

1 0 0

0 1 0

1 1 1

We will use the boolean AND operation to help us zero-out unwanted bits Let’s look at the fundamentals of applying this theory

Because we are dealing with computers that talk in binary, we consider taking every combination of the only two possible bit values - 0 and 1 As you can see from the truth table above, the only time the resulting value is 1 is when both bits that are AND’ed are 1

If you imagine “BIT A” as the bit found in the original byte and “BIT B” as a mask value used in an AND operation of “BIT A”, we can determine the appropriate mask value to either discard or preserve an original bit

Solution: “AND” Wanted Bits

With 1’s

0 1 0 1

1 1 1 1

0 1 0 1

Because we are dealing with an entire byte, we must also pay attention to the low- order nibble, the

IP header length that we want to preserve We must preserve the original value that we found there

We can’t simply ignore this field In order to preserve the current value found in that field, we

“AND” all bits with a value of 1 This will not change the current value found in that nibble

18

The Mask Byte

0 1 0 1

So, this just means that our mask byte is 0000 1111 which translated to two hexadecimal characters

of 0f

Partial filter = ip[0] & 0x0f

field AND mask

We figured out the mask that we want to AND with the first byte of the IP header, but how do we tell tcpdump how to do this? What we do is first identify the byte (or bytes) that we are dealing with

by identifying what protocol we are dealing with (IP) and the displacement into the protocol that the byte is found (0 – first byte) Next, we use the “&” symbol to denote the AND operation and then

we must tell it what value to AND it with This is the mask value that we figured out or 0x0f in hexadecimal

20

And Your Point Would Be?

A 1in a mask bit preservesa corresponding value bit, a 0in a

mask bit discardsa corresponding value bit

0 1 0 0 0 1 0 1 Current IP byte 0 fields, version = 4, length = 5

First byte of IP header

Once the mask has been computed to figure out which bits to discard and which to preserve, it has

to be “superimposed” over some byte or span of bytes In this case we need to superimpose the mask over the entire first byte of the IP header because that is where the fields we are interested in

lie So, in this case that field is represented by ip[0] The partial filter of superimposing the appropriate mask over the field of interest becomes ip[0] & 0x0f.

A way to test whether an IP datagram has options is to test if the IP header length is greater than 5 (this is five 32 bit “words”- or 4 bytes) The filter then would become:

ip[0] & 0x0f > 5

If this filter were included in the tcpdump statement with the proper notation or in a file and pointed

to by the tcpdump option -F, all records read that had an IP header length of greater than 5 would be selected

What would the mask be to preserve the high order 4 bits (the version number) and discard the low

4 order bits (the length)?

TCP Flag Bits

• Located in the TCP header

• Tells much about the state of a given TCP

segment

• We often examine this field in filters

URG ACK PSH RST SYN FIN

This field is denoted as tcp[13]

Reserved

The TCP reserved bits, in the past, have not been used for anything other than operating system fingerprinting They were probably included for some anticipated future use, but at present are not supposed to be used When nmap attempts to do operating system fingerprinting, it might try to set these values just to see how the receiving host responds

Also, if a packet gets corrupted in transit, these bits might be erroneously set We will always mask these bits with 0’s when analyzing the TCP flag bits since they will need to be discarded We will then select or discard other flag bits as necessary using an appropriate mask and the boolean AND operator

22

Masking the TCP Flag Bits

What would the mask be to single out the SYN bit only?

Reserved bits URG ACK PSH RST SYN FIN

The TCP flag bits field in the slide above has been depicted to help you determine the mask value Since there will be two hexadecimal characters in the mask, the dividing line down the middle marks the two different characters Also, notice the base 2 values above each of the bits to assist you in figuring out the corresponding value for the bit

The answers for this slide can be found at the end of the chapter, Exercise 2

Masking the TCP Flag Bits

What would the entire filter be to check if the SYN bit is set?

Reserved bits URG ACK PSH RST SYN FIN

0 0 0 0 0 0 1 0 = tcp[13] & 0x02 != 0

0 0 0 1 0 0 0 0 =

0 0 0 0 1 1 1 1 =

What would the filters be for the second and third lines

to check if the corresponding bits are set?

= 16 would be another way to test if the ACK bit were set

The answers for this slide can be found at the end of this chapter, Exercise 3