Packet filtering is an important skill when capturing and managing large network dumps. There are several tools and techniques used to simplify searching and extraction of useful data from captured data.

TCPDUMP

tcpdump can be configured to only capture traffic according to specified filter. To include a filter append a quoted filter string in the command line. Here is a simple example to capture LIVE packets coming to and from 192.168.1.10:

tcpdump -i eth0 -ttttnn "host 192.168.1.10"

In case you need to filter a previously saved pcap file (e.g. produced by tcpdump -w capture.pcap -s 1550), you can utilize -r flag combined with the same filter:

tcpdump -r capture.pcap "host 192.168.1.10"

It is recommended to use the following commandline to speed up reading existing pcap files. This will clean up the timestamp and avoid name resolution:

tcpdump -ttttnnr capture.pcap "host 192.168.1.10

tcpdump man pages include complete filter syntax; however, here are some of the more useful ones:

Specifying hosts

host 192.168.1.10 - capture traffic with source or destination is 192.168.1.10
dst host 192.168.1.10 - capture traffic with destination host is 192.168.1.10
src host 192.168.1.10 - capture traffic with source is 192.168.1.10

Specifying networks

net 192.168.1.0/24 - capture traffic to or from 192.168.1.0/24 network
dst net 192.168.1.0 mask 255.255.255.0 - capture traffic destined for 192.168.1.0/24 network (notice different syntax)
src net localnet - capture traffic coming from local network network (notice different syntax)

Specifying ports

port 80 - capture traffic to or from port 80 (www)
dst port www - capture traffic going to port 80 (www) (notice different syntax)
src port www - capture traffic coming from port 80 (www)

Specifying a range of ports

portrange 20-25 - capture traffic to or from port range 20 to 25. Note that either dst or src ports need to be in the range for packet to be captures e.g. source port 22 and destination port 50000 will be captured.
dst portrange 80-1024 - capture traffic going to ports 80-1024
src portrange 40000-50000 - capture traffic coming from ports 40k - 50k

Specifying protocols

tcp  - capture TCP traffic
udp - capture UDP traffic
icmp - capture ICMP traffic
arp - capture ARP traffic

Combining multiple primitives

dst port 80 or dst host 192.168.1.10 - capture traffic going to port 80 or to 192.168.1.10
dst port 80 and (src host 192.168.1.11 or src host 192.168.1.12) - capture traffic going to port 80 and coming from either 192.168.1.11 or 192.168.1.12
not dst port 80 and not dst host 192.168.1.10 - skip traffic destined for port 80 or 192.168.1.10

Byte Offset Filtering

icmp[0]=8 or icmp[0]=0 – look at the first byte of ICMP packets and capture types 8(echo) and 0(echo reply)
tcp[0:2]=80 and tcp[13]=0x02 – capture packets coming from port 80 (first 2 bytes) with SYN flag (0x02)
tcp[13] & 0x02 = 2 – capture packets with SYN flag present (other flags could also exist like 0x12 SYN-ACK will work). By anding tcp[13] with a mask 0x02 you drop all elements except the second bit from the right. Next you compare it with a value of 0x02 which has 2nd bit set to find out if the original bit was set in the first place.

TSHARK

tshark improves on already existing tcpdump by introducing smarter filters, full protocol dissection, tracking state, and other enhancements. tshark includes two unique filtering mechanisms. Capture filter (-f) uses standard libpcap filters as described in the tcpdump section. Read filter (-R)

Viewing custom fields

tshark –i eth0 –n –tad –T fields –e ip.src –e tcp.srcport –e ip.dst –e tcp.dstport

The above command with display source host, source tcp port, destination host, and destination port

Capture filter

tshark – I eth0 –n –tad –f “tcp dst port 80”

The above command will only capture tcp traffic going to port 80. See TCPDUMP for complete documentation.

Read (Display) Filter

Read filters allow a lot more flexibility and power compared to libpcap filters. However, due to performance considerations you should not rely completely on read filters as they perform complete packet dissection. Instead use read filters for fine tuning. Below is an example to display all traffic to or from 192.168.1.10:

tshark –n –R “ip.addr==192.168.1.10”

Specifying hosts

ip.addr==192.168.1.10 - capture traffic with source or destination is 192.168.1.10

ip.dst eq 192.168.1.10 - capture traffic with destination host is 192.168.1.10 (you can use eq is ==)

ip.src==192.168.1.10 - capture traffic with source is 192.168.1.10

Specifying networks

ip.addr eq 192.168.1.0/24 - capture traffic to or from 192.168.1.0/24 network

ip.dst eq 192.168.1.0/24 - capture traffic destined for 192.168.1.0/24 network

ip.src eq 192.168.1.0/24- capture traffic coming from 192.168.1.0/24 network

Specifying ports

tcp.port == 80 - capture traffic to or from port 80 (www)
tcp.dstport == 80 - capture traffic going to port 80 (www)
tcp.srcport == 80 - capture traffic coming from port 80 (www)

Specifying a range of ports

tcp.port >= 20 and tcp.port <=25 - c Note that either dst or src ports need to be in the range for packet to be captures e.g. source port 22 and destination port 50000 will be captured.

tcp.dstport >= 80 and tcp.dstport <= 1024 - capture traffic going to ports 80-1024

tcp.srcport ge 40000 and tcp.srcport le 50000 - capture traffic coming from ports 40k - 50k. Note the use of ge and le instead of >= and <= respectively.

Specifying protocols

tcp  - capture TCP traffic
udp - capture UDP traffic
icmp - capture ICMP traffic
arp - capture ARP traffic

Combining multiple primitives

tcp.dstport == 80 or ip.dst == 192.168.1.10 - capture traffic going to port 80 or to 192.168.1.10

tcp.port == 80 and not (ip.src == 192.168.1.11 or ip.src == 192.168.1.12) - capture traffic going to port 80 and NOT coming from either 192.168.1.11 or 192.168.1.12

!(ip.addr == 192.168.1.10) && !(tcp.port == 80) - skip traffic destined for port 80 or 192.168.1.10 (do not use != notation since ip.addr and tcp.port will attempt to match either src or dst fields so you will receive unexpected results).

Advanced Filters

tshark –T fileds –e ip.dst –e http.request.uri –R “http.request.method == \”GET\” – will display all requested URIs when HTTP method GET is used.

tshark –R “tcp.flags.syn == 1” – capture packets which have SYN flag on

tshark –T fields –e http.cookie –R “http and http.cookie[0:4] == \”PREF\”” – display all http cookies where a slice of first four bytes is “PREF”

tshark –T fields –e http.cookies –R “http and http.cookie[-20:20] contains \”GMAIL\”” – match last 20 characters for the presence of GMAIL keyword.

tshark –T fields –e http.cookies –R “frame[100:] contains \”GMAIL\”  -d tcp.port=1234,http – match entire frame for the presence of keyword “GMAIL” and interpret as HTTP running on a nonstandard port 1234

tshark –T fields –e http.cookie –R “http and lower(http.cookie) contains \”pref\”” – display all http cookies which contain keyword pref. You can use lower() and upper() to create case insensitive matches.

tshark –T fields –e http.cookies –R “http and http.cookie matches \”^PREF.*MAIL\”” – display all http cookies which begin with keyword PREF and contain keyword MAIL. Use PREG syntax when using matches keyword.

WIRESHARK/TSHARK UTILITIES

Wireshark suite includes a number of command line utilities useful for packet filtering.

editcap is a powerful editing utility which can read, edit, and save resultant packet captures in a variety of formats including pcap. Here are a few use cases for this tool:

Extract packets from a time range

editcap –A “2008-10-08 09:00:00” –B “2008-10-08 10:00:00” input.pcap output.pcap

output.pcap file will be created containing all packets within the range.

editcap –r –A “2008-10-08 09:00:00” –B “2008-10-08 10:00:00” input.pcap output2.pcap

output2.pcap will contain all packets EXCEPT the range specified above.

Extract packets by count

editcap –r input.pcap output.pcap 1-10 90-100

The above will extract packets 1-10 and 90-100 (inclusive) and store them in output.pcap

editcap input.pcap output.pcap 1-10 90-100

The above will save all packets from input.pcap except 1-10 and 90-100 into output.pcap

Split large captures

editcap –c 1000 input.pcap split.pcap

One or more pcap files will be created called split.pcap-0000, split.cap-0001, etc. Each chunk will contain at most 1000 packets.

Merge multiple captures

mergecap –w big.pcap small-1.pcap small-2.pcap small-3.pcap

Published on May 25th, 2010 by iphelix

sprawlsimilar

ios data interception

Network traffic analysis is an important ingredient of a good iOS app pentest. The article covers several common approaches to iOS specific data interception such as network proxying, defeating network encryption, traffic injection and others. Read more.

decrypting tls/ssl traffic with wireshark

Wireshark is capable of decrypting TLS/SSL traffic. This article will discuss the required conditions necessary for the decryption and walk you through the exact steps. Read more.


sprawlcomments

All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.

π
///\oo/\\\