THE

SPRAWL

  •  
  •  
  •  
  • Packet filtering is an important skill when capturing and managing large network dumps. There are several tools and techniques used to simplify searching and extraction of useful data from captured data.

    TCPDUMP

    tcpdump can be configured to only capture traffic according to specified filter. To include a filter append a quoted filter string in the command line. Here is a simple example to capture LIVE packets coming to and from 192.168.1.10:

    tcpdump -i eth0 -ttttnn "host 192.168.1.10"
    

    In case you need to filter a previously saved pcap file (e.g. produced by tcpdump -w capture.pcap -s 1550), you can utilize -r flag combined with the same filter:

    tcpdump -r capture.pcap "host 192.168.1.10"
    

    It is recommended to use the following commandline to speed up reading existing pcap files. This will clean up the timestamp and avoid name resolution:

    tcpdump -ttttnnr capture.pcap "host 192.168.1.10
    

    tcpdump man pages include complete filter syntax; however, here are some of the more useful ones:

    Specifying hosts

    host 192.168.1.10 - capture traffic with source or destination is 192.168.1.10
    dst host 192.168.1.10 - capture traffic with destination host is 192.168.1.10
    src host 192.168.1.10 - capture traffic with source is 192.168.1.10
    

    Specifying networks

    net 192.168.1.0/24 - capture traffic to or from 192.168.1.0/24 network
    dst net 192.168.1.0 mask 255.255.255.0 - capture traffic destined for 192.168.1.0/24 network (notice different syntax)
    src net localnet - capture traffic coming from local network network (notice different syntax)
    

    Specifying ports

    port 80 - capture traffic to or from port 80 (www)
    dst port www - capture traffic going to port 80 (www) (notice different syntax)
    src port www - capture traffic coming from port 80 (www)
    

    Specifying a range of ports

    portrange 20-25 - capture traffic to or from port range 20 to 25. Note that either dst or src ports need to be in the range for packet to be captures e.g. source port 22 and destination port 50000 will be captured.
    dst portrange 80-1024 - capture traffic going to ports 80-1024
    src portrange 40000-50000 - capture traffic coming from ports 40k - 50k
    

    Specifying protocols

    tcp  - capture TCP traffic
    udp - capture UDP traffic
    icmp - capture ICMP traffic
    arp - capture ARP traffic
    

    Combining multiple primitives

    dst port 80 or dst host 192.168.1.10 - capture traffic going to port 80 or to 192.168.1.10
    dst port 80 and (src host 192.168.1.11 or src host 192.168.1.12) - capture traffic going to port 80 and coming from either 192.168.1.11 or 192.168.1.12
    not dst port 80 and not dst host 192.168.1.10 - skip traffic destined for port 80 or 192.168.1.10
    

    Byte Offset Filtering

    icmp[0]=8 or icmp[0]=0 – look at the first byte of ICMP packets and capture types 8(echo) and 0(echo reply)
    tcp[0:2]=80 and tcp[13]=0x02 – capture packets coming from port 80 (first 2 bytes) with SYN flag (0x02)
    tcp[13] & 0x02 = 2 – capture packets with SYN flag present (other flags could also exist like 0x12 SYN-ACK will work). By anding tcp[13] with a mask 0x02 you drop all elements except the second bit from the right. Next you compare it with a value of 0x02 which has 2nd bit set to find out if the original bit was set in the first place.
    

    TSHARK

    tshark improves on already existing tcpdump by introducing smarter filters, full protocol dissection, tracking state, and other enhancements. tshark includes two unique filtering mechanisms. Capture filter (-f) uses standard libpcap filters as described in the tcpdump section. Read filter (-R)

    Viewing custom fields

    tshark –i eth0 –n –tad –T fields –e ip.src –e tcp.srcport –e ip.dst –e tcp.dstport
    

    The above command with display source host, source tcp port, destination host, and destination port

    Capture filter

    tshark – I eth0 –n –tad –f “tcp dst port 80”
    

    The above command will only capture tcp traffic going to port 80. See TCPDUMP for complete documentation.

    Read (Display) Filter

    Read filters allow a lot more flexibility and power compared to libpcap filters. However, due to performance considerations you should not rely completely on read filters as they perform complete packet dissection. Instead use read filters for fine tuning. Below is an example to display all traffic to or from 192.168.1.10:

    tshark –n –R “ip.addr==192.168.1.10”
    

    Specifying hosts

    ip.addr==192.168.1.10 - capture traffic with source or destination is 192.168.1.10
    
    ip.dst eq 192.168.1.10 - capture traffic with destination host is 192.168.1.10 (you can use eq is ==)
    
    ip.src==192.168.1.10 - capture traffic with source is 192.168.1.10
    

    Specifying networks

    ip.addr eq 192.168.1.0/24 - capture traffic to or from 192.168.1.0/24 network
    
    ip.dst eq 192.168.1.0/24 - capture traffic destined for 192.168.1.0/24 network
    
    ip.src eq 192.168.1.0/24- capture traffic coming from 192.168.1.0/24 network
    

    Specifying ports

    tcp.port == 80 - capture traffic to or from port 80 (www)
    tcp.dstport == 80 - capture traffic going to port 80 (www)
    tcp.srcport == 80 - capture traffic coming from port 80 (www)
    

    Specifying a range of ports

    tcp.port >= 20 and tcp.port <=25 - c Note that either dst or src ports need to be in the range for packet to be captures e.g. source port 22 and destination port 50000 will be captured.
    
    tcp.dstport >= 80 and tcp.dstport <= 1024 - capture traffic going to ports 80-1024
    
    tcp.srcport ge 40000 and tcp.srcport le 50000 - capture traffic coming from ports 40k - 50k. Note the use of ge and le instead of >= and <= respectively.
    

    Specifying protocols

    tcp  - capture TCP traffic
    udp - capture UDP traffic
    icmp - capture ICMP traffic
    arp - capture ARP traffic
    

    Combining multiple primitives

    tcp.dstport == 80 or ip.dst == 192.168.1.10 - capture traffic going to port 80 or to 192.168.1.10
    
    tcp.port == 80 and not (ip.src == 192.168.1.11 or ip.src == 192.168.1.12) - capture traffic going to port 80 and NOT coming from either 192.168.1.11 or 192.168.1.12
    
    !(ip.addr == 192.168.1.10) && !(tcp.port == 80) - skip traffic destined for port 80 or 192.168.1.10 (do not use != notation since ip.addr and tcp.port will attempt to match either src or dst fields so you will receive unexpected results).
    

    Advanced Filters

    tshark –T fileds –e ip.dst –e http.request.uri –R “http.request.method == \”GET\” – will display all requested URIs when HTTP method GET is used.
    
    tshark –R “tcp.flags.syn == 1” – capture packets which have SYN flag on
    
    tshark –T fields –e http.cookie –R “http and http.cookie[0:4] == \”PREF\”” – display all http cookies where a slice of first four bytes is “PREF”
    
    tshark –T fields –e http.cookies –R “http and http.cookie[-20:20] contains \”GMAIL\”” – match last 20 characters for the presence of GMAIL keyword.
    
    tshark –T fields –e http.cookies –R “frame[100:] contains \”GMAIL\”  -d tcp.port=1234,http – match entire frame for the presence of keyword “GMAIL” and interpret as HTTP running on a nonstandard port 1234
    
    tshark –T fields –e http.cookie –R “http and lower(http.cookie) contains \”pref\”” – display all http cookies which contain keyword pref. You can use lower() and upper() to create case insensitive matches.
    
    tshark –T fields –e http.cookies –R “http and http.cookie matches \”^PREF.*MAIL\”” – display all http cookies which begin with keyword PREF and contain keyword MAIL. Use PREG syntax when using matches keyword.
    

    WIRESHARK/TSHARK UTILITIES

    Wireshark suite includes a number of command line utilities useful for packet filtering.

    editcap is a powerful editing utility which can read, edit, and save resultant packet captures in a variety of formats including pcap. Here are a few use cases for this tool:
    

    Extract packets from a time range

    editcap –A “2008-10-08 09:00:00” –B “2008-10-08 10:00:00” input.pcap output.pcap
    

    output.pcap file will be created containing all packets within the range.

    editcap –r –A “2008-10-08 09:00:00” –B “2008-10-08 10:00:00” input.pcap output2.pcap
    

    output2.pcap will contain all packets EXCEPT the range specified above.

    Extract packets by count

    editcap –r input.pcap output.pcap 1-10 90-100
    

    The above will extract packets 1-10 and 90-100 (inclusive) and store them in output.pcap

    editcap input.pcap output.pcap 1-10 90-100
    

    The above will save all packets from input.pcap except 1-10 and 90-100 into output.pcap

    Split large captures

    editcap –c 1000 input.pcap split.pcap
    

    One or more pcap files will be created called split.pcap-0000, split.cap-0001, etc. Each chunk will contain at most 1000 packets.

    Merge multiple captures

    mergecap –w big.pcap small-1.pcap small-2.pcap small-3.pcap
    

    Published on May 25th, 2010 by iphelix

    sprawlsimilar

    ios data interception

    Network traffic analysis is an important ingredient of a good iOS app pentest. The article covers several common approaches to iOS specific data interception such as network proxying, defeating network encryption, traffic injection and others. Read more.

    decrypting tls/ssl traffic with wireshark

    Wireshark is capable of decrypting TLS/SSL traffic. This article will discuss the required conditions necessary for the decryption and walk you through the exact steps. Read more.


    sprawlcomments

    All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.

    π
    ///\oo/\\\