• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Complete list of byte offsets for filtering with TCPDump

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
noyd
Just Arrived
Just Arrived


Joined: 30 Sep 2004
Posts: 0
Location: Europe

Offline

PostPosted: Thu Nov 04, 2004 4:24 pm    Post subject: Complete list of byte offsets for filtering with TCPDump Reply with quote

After wandering the net for TCPDump papers I've found some quite good info for those dealing with large traffic log files; TCPDump Bit masking.
Filtering with TCPDump using bit masking ends up to be a good practicing tool (and also very helpful) for those seeking a solid knowledge on tcpdump applicabillity.

If you do a search about bitmasking you will find more information on this subject. Click Here for more info.

Expressions
Code:

[x:y]      start at offset x from the beginning of packet and read y bytes
[x]      abbreviation for [x:1]
proto[x:y]   start at offset x into the proto header and read y bytes

p[x:y] & z = 0   p[x:y] has none of the bits selected by z
p[x:y] & z != 0   p[x:y] has any  of the bits selected by z
p[x:y] & z = z   p[x:y] has all  of the bits selected by z
p[x:y] = z   p[x:y] has only    the bits selected by z


IP byte offsets
Code:

ip[0] & 0x0f      - protocol version
ip[0] & 0xf0      - protocol options
ip[0] & 0xff00      - internet header length
ip[1]         - TOS
ip[2:2]         - Total length
ip[4:2]         - IP identification
ip[6] & 0xa      - IP flags
ip[6:2] & 0x1fff    - fragment offset area
ip[8]         - TTL
ip[9]         - protocol field
ip[10:2]      - header checksum
ip[12:4]      - src IP address
ip[16:4]      - dst IP address
ip[20:3]      - options
ip[24]         - padding


TCP byte offsets
Code:

tcp[0:2]      - src port
tcp[2:2]      - dst port
tcp[4:4]      - seq number
tcp[8:4]      - ack number
tcp[12] & 0x00ff   - data offset
tcp[12] & 0xff00   - reserved
tcp[13]         - tcp flags

tcp[13] & 0x3f = 0   - no flags set (null packet)
tcp[13] & 0x11 = 1   - FIN set and ACK not set
tcp[13] & 0x03 = 3   - SYN set and FIN set
tcp[13] & 0x05 = 5   - RST set and FIN set
tcp[13] & 0x06 = 6   - SYN set and RST set
tcp[13] & 0x18 = 8   - PSH set and ACK not set
tcp[13] & 0x30 = 0x20   - URG set and ACK not set
tcp[13] & 0xc0 != 0   - >= one of the reserved bits of tcp[13] is set
tcp[14:2]      - window
tcp[16:2]      - checksum
tcp[18:2]      - urgent pointer
tcp[20:3]      - options
tcp[23]         - padding
tcp[24]         - data

Detail on Flags:

Flags      Numerically      Meaning
=====      ===========      =======
---- --S-   0000 0010 = 0x02   normal syn
---A --S-   0001 0010 = 0x12   normal syn-ack
---A ----   0001 0000 = 0x10   normal ack
--UA P---   0011 1000 = 0x38   psh-urg-ack. interactive stuff like ssh
---A -R--   0001 0100 = 0x14   rst-ack. it happens.
---- --SF   0000 0011 = 0x03   syn-fin scan
--U- P--F   0010 1001 = 0x29   urg-psh-fin. nmap fingerprint packet
-Y-- ----   0100 0000 = 0x40   anything >= 0x40 has a reserved bit set
XY-- ----   1100 0000 = 0xC0   both reserved bits set
XYUA PRSF   1111 1111 = 0xFF   FULL_XMAS scan


UDP byte offsets
Code:

udp[0:2]      - src port
udp[2:2]      - dst port
udp[4:2]      - length
udp[6:2]      - checksum
udp[8:4]      - first 4 octets of data


ICMP byte offsets
Code:

icmp[0]         - type
icmp[1]         - code
icmp[3:2]      - checksum

Destination Unreachable:
icmp[0] = 0x3 (3)

icmp[4:4]      - unused (per RFC]
icmp[8:4]      - internet header + 64 bits original data
icmp[1]         - 0 = net unreachable;
         - 1 = host unreachable;
         - 2 = protocol unreachable;
         - 3 = port unreachable;
         - 4 = fragmentation needed and DF set;
         - 5 = source route failed.

Time Exceeded:
icmp[0] = 0xB (11)   

icmp[4:4]      - unused (per RFC]
icmp[8:4]      - internet header + 64 bits original data
icmp[1]         - 0 = TTL exceeded intransit
         - 1 = fragment reassembly time exceeded

Parameter Problem:
icmp[0] = 0xC (12)   

icmp[1]         - 0 = pointer indicates error
icmp[4]         - pointer
icmp[5:3]      - unused, per RFC
icmp[8:4]      - internet header + 64 bits original data


Source Quench:
icmp[0] = 0x4 (4)

icmp[1]         - 0 = may be received by gateway or host
icmp[4:4]      - unused, per RFC
icmp[8:4]      - internet header + 64 bits original data

Redirect Message:
icmp[0] = 0x5 (5)

icmp[1]         - 0 = redirect for network
         - 1 = redirect for host
         - 2 = redirect for TOS & network
         - 3 = redirect for TOS & host
icmp[4:4]      - gateway internet address
icmp[8:4]      - internet header + 64 bits original data

Echo/Echo Reply:
icmp[0]   = 0x0 (0) (echo reply)
icmp[0]   = 0x8 (8) (echo request)

icmp[4:2]      - identifier
icmp[6:2]      - sequence number
icmp[8]         - data begins
      
Timestamp/Timestamp Reply:
icmp[0] = 0xD (13) (timestamp request)
icmp[0] = 0xE (14) (timestamp reply)

icmp[1]         - 0
icmp[4:2]      - identifier
icmp[6:2]      - sequence number
icmp[8:4]      - originate timestamp
icmp[12:4]      - receive timestamp
icmp[16:4]      - transmit timestamp

Information Request/Reply:
icmp[0] = 0xF (15) (info request)
icmp[0] = 0x10  (16) (info reply)

icmp[1]         - 0
icmp[4:2]      - identifier
icmp[6:2]      - sequence number

Address Mask Request/Reply:
icmp[0] = 0x11 (11) (address mask request)
icmp[0] = 0x12 (12) (address mask reply)


Examples...:
Code:

is some kind of SYN-FIN
(tcp[13] & 0x03) = 3

land attack
ip[12:4] = ip[16:4]

winnuke
(tcp[2:2] = 139) && (tcp[13] & 0x20 != 0) && (tcp[19] & 0x01 = 1)

things other than ACK/PSH
(tcp[13] & 0xe7) != 0

initial fragments
(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff = 0)

intervening fragments
(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff != 0)

terminal fragments
(ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)

has ip options
(ip[0] & 0x0f) != 5

ping o' death and its ilk
((ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)) && \
((65535 < (ip[2:2] + 8*(ip[6:2] & 0x1fff))


You can grab source information here:
http://packet.node.to/hacks/byte_offsets.txt

Enjoy.
Back to top
View user's profile Send private message
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Thu Nov 04, 2004 7:59 pm    Post subject: Reply with quote

Good information, thanks for sharing your research.

Thanks for noting the source of the information as well.
Back to top
View user's profile Send private message Visit poster's website
JaxGough
Just Arrived
Just Arrived


Joined: 04 Oct 2004
Posts: 1
Location: UK

Offline

PostPosted: Thu Jan 06, 2005 4:03 am    Post subject: TCPDump filtering Reply with quote

Excellent work, would you mind if I used it to help/teach other people that I work with. You will, of course, be fully credited.

Once again, excellent work

Jax
Back to top
View user's profile Send private message
Whitetoque
Just Arrived
Just Arrived


Joined: 23 Apr 2004
Posts: 0
Location: Canada's National Capital Region

Offline

PostPosted: Thu Jan 06, 2005 6:33 am    Post subject: Reply with quote

Great job!

I've passed the link to your posting on to my coworkers!

Cheers,

Ted
Back to top
View user's profile Send private message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Thu Jan 06, 2005 7:02 am    Post subject: Reply with quote

Hey that's some uber useful info, thanks a lot for posting it.

Combined with Don's tutorials I'm sure it'll aid a lot of people Smile
Back to top
View user's profile Send private message Visit poster's website
noyd
Just Arrived
Just Arrived


Joined: 30 Sep 2004
Posts: 0
Location: Europe

Offline

PostPosted: Wed Jan 12, 2005 6:34 pm    Post subject: Reply with quote

I thank all of you for your nice feedback on this. Smile

Use it the way you like, it's for all of you.

Razz
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register