Re: TCP Dump Filters

From: Crist J. Clark (cristjc@earthlink.net)
Date: 12/24/01 

Date: Mon, 24 Dec 2001 12:54:10 -0500
From: "Crist J. Clark" <cristjc@earthlink.net>
To: "Stover, S.f." <sstover@enterasys.com>

On Fri, Dec 21, 2001 at 06:10:17PM -0500, Stover, S.f. wrote:
> True, but can you FILTER on the contents of the payload? That was the
> original question I believe. A man on TCPdump shows me that you can
> filter on all kinds of packet characteristics like port, IP (host &
> net), TCP flags, options, length, etc. etc., but not on whether or not
> there is a "GET /cgi-bin/phf" in the payload. If I'm correct, this
> would be a major drawback in the use of TCPdump as an IDS engine. If
> you can't filter packets on payload content, you can't write real
> filters for attack signatures (outside of aberrant packet
> characteristics). Anyone know for sure if TCPdump can do this?? Judy??

You _can_ but the manner in which you do it is very limited. Using
something like,

  ip[40:3] = 0x474554

Should find "GET" 40 bytes into an IP packet (I forget if you can use
strings in tcpdump(1) expressions and the manpage does not say
specificially whether you can or cannot). Similarly, you could do
something like,

  tcp[20:3] = 0x474554

To only look inside of the TCP segment.

The main limitation here being that you need to know _exactly_ where
to look for the data. Even in this simple example, we're in trouble
since TCP headers vary in length depending on the options being used. 

-- 
"It's always funny until someone gets hurt. Then it's hilarious."

Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

Relevant Pages

  • Re: TCP Dump Filters
    ... but can you FILTER on the contents of the payload? ... filter on all kinds of packet characteristics like port, ... would be a major drawback in the use of TCPdump as an IDS engine. ...
    (Focus-IDS)
  • odd tcpdump output w/ 6.0-BETA2 ...
    ... I get useless output from tcpdump (no ... header or protocol decode) but only when I specify a filter on the ... use -v or -vv for full protocol decode ... packets received by filter ...
    (freebsd-net)
  • Re: Packet capturing, iptables and eth0 vs. dummy0
    ... That's because when you try locally, you end up using lo0, not eth0. ... > Let's say that I'm filtering all incoming TCP SYN packets on all ... > I'm listening, with tcpdump, to all packets in eth0. ... > connect (without the filter I can do it normally), ...
    (Linux-Kernel)
  • Re: tcpdump: capturing traffic only from external hosts
    ... Second filter, ... tcpdump on the host 10.0.0.101, so I have scrubbed the host bit, and used the ... port number to restrict the logging against that port. ... Unfortunately tcpdump logs the traffic before the netfilter, ...
    (comp.os.linux.networking)
  • RE: newbie tcpdump question
    ... And tcpdump will allow you to see data between points. ... On my local network there are two totally different subnets together ... traffic between the ordinary IP numbered hosts and other ordinary IP ... not been able to come up with a tcpdump filter that actually works to do ...
    (Focus-IDS)