Complete list of byte offsets for filtering with TCPDump

Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

Author: noydLocation: Europe PostPosted: Thu Nov 04, 2004 4:24 pm    Post subject: Complete list of byte offsets for filtering with TCPDump
    ----
After wandering the net for TCPDump papers I've found some quite good info for those dealing with large traffic log files; TCPDump Bit masking.
Filtering with TCPDump using bit masking ends up to be a good practicing tool (and also very helpful) for those seeking a solid knowledge on tcpdump applicabillity.

If you do a search about bitmasking you will find more information on this subject. Click Here for more info.

Expressions
Code:

[x:y]      start at offset x from the beginning of packet and read y bytes
[x]      abbreviation for [x:1]
proto[x:y]   start at offset x into the proto header and read y bytes

p[x:y] & z = 0   p[x:y] has none of the bits selected by z
p[x:y] & z != 0   p[x:y] has any  of the bits selected by z
p[x:y] & z = z   p[x:y] has all  of the bits selected by z
p[x:y] = z   p[x:y] has only    the bits selected by z


IP byte offsets
Code:

ip[0] & 0x0f      - protocol version
ip[0] & 0xf0      - protocol options
ip[0] & 0xff00      - internet header length
ip[1]         - TOS
ip[2:2]         - Total length
ip[4:2]         - IP identification
ip[6] & 0xa      - IP flags
ip[6:2] & 0x1fff    - fragment offset area
ip[8]         - TTL
ip[9]         - protocol field
ip[10:2]      - header checksum
ip[12:4]      - src IP address
ip[16:4]      - dst IP address
ip[20:3]      - options
ip[24]         - padding


TCP byte offsets
Code:

tcp[0:2]      - src port
tcp[2:2]      - dst port
tcp[4:4]      - seq number
tcp[8:4]      - ack number
tcp[12] & 0x00ff   - data offset
tcp[12] & 0xff00   - reserved
tcp[13]         - tcp flags

tcp[13] & 0x3f = 0   - no flags set (null packet)
tcp[13] & 0x11 = 1   - FIN set and ACK not set
tcp[13] & 0x03 = 3   - SYN set and FIN set
tcp[13] & 0x05 = 5   - RST set and FIN set
tcp[13] & 0x06 = 6   - SYN set and RST set
tcp[13] & 0x18 = 8   - PSH set and ACK not set
tcp[13] & 0x30 = 0x20   - URG set and ACK not set
tcp[13] & 0xc0 != 0   - >= one of the reserved bits of tcp[13] is set
tcp[14:2]      - window
tcp[16:2]      - checksum
tcp[18:2]      - urgent pointer
tcp[20:3]      - options
tcp[23]         - padding
tcp[24]         - data

Detail on Flags:

Flags      Numerically      Meaning
=====      ===========      =======
---- --S-   0000 0010 = 0x02   normal syn
---A --S-   0001 0010 = 0x12   normal syn-ack
---A ----   0001 0000 = 0x10   normal ack
--UA P---   0011 1000 = 0x38   psh-urg-ack. interactive stuff like ssh
---A -R--   0001 0100 = 0x14   rst-ack. it happens.
---- --SF   0000 0011 = 0x03   syn-fin scan
--U- P--F   0010 1001 = 0x29   urg-psh-fin. nmap fingerprint packet
-Y-- ----   0100 0000 = 0x40   anything >= 0x40 has a reserved bit set
XY-- ----   1100 0000 = 0xC0   both reserved bits set
XYUA PRSF   1111 1111 = 0xFF   FULL_XMAS scan


UDP byte offsets
Code:

udp[0:2]      - src port
udp[2:2]      - dst port
udp[4:2]      - length
udp[6:2]      - checksum
udp[8:4]      - first 4 octets of data


ICMP byte offsets
Code:

icmp[0]         - type
icmp[1]         - code
icmp[3:2]      - checksum

Destination Unreachable:
icmp[0] = 0x3 (3)

icmp[4:4]      - unused (per RFC]
icmp[8:4]      - internet header + 64 bits original data
icmp[1]         - 0 = net unreachable;
         - 1 = host unreachable;
         - 2 = protocol unreachable;
         - 3 = port unreachable;
         - 4 = fragmentation needed and DF set;
         - 5 = source route failed.

Time Exceeded:
icmp[0] = 0xB (11)   

icmp[4:4]      - unused (per RFC]
icmp[8:4]      - internet header + 64 bits original data
icmp[1]         - 0 = TTL exceeded intransit
         - 1 = fragment reassembly time exceeded

Parameter Problem:
icmp[0] = 0xC (12)   

icmp[1]         - 0 = pointer indicates error
icmp[4]         - pointer
icmp[5:3]      - unused, per RFC
icmp[8:4]      - internet header + 64 bits original data


Source Quench:
icmp[0] = 0x4 (4)

icmp[1]         - 0 = may be received by gateway or host
icmp[4:4]      - unused, per RFC
icmp[8:4]      - internet header + 64 bits original data

Redirect Message:
icmp[0] = 0x5 (5)

icmp[1]         - 0 = redirect for network
         - 1 = redirect for host
         - 2 = redirect for TOS & network
         - 3 = redirect for TOS & host
icmp[4:4]      - gateway internet address
icmp[8:4]      - internet header + 64 bits original data

Echo/Echo Reply:
icmp[0]   = 0x0 (0) (echo reply)
icmp[0]   = 0x8 (8) (echo request)

icmp[4:2]      - identifier
icmp[6:2]      - sequence number
icmp[8]         - data begins
      
Timestamp/Timestamp Reply:
icmp[0] = 0xD (13) (timestamp request)
icmp[0] = 0xE (14) (timestamp reply)

icmp[1]         - 0
icmp[4:2]      - identifier
icmp[6:2]      - sequence number
icmp[8:4]      - originate timestamp
icmp[12:4]      - receive timestamp
icmp[16:4]      - transmit timestamp

Information Request/Reply:
icmp[0] = 0xF (15) (info request)
icmp[0] = 0x10  (16) (info reply)

icmp[1]         - 0
icmp[4:2]      - identifier
icmp[6:2]      - sequence number

Address Mask Request/Reply:
icmp[0] = 0x11 (11) (address mask request)
icmp[0] = 0x12 (12) (address mask reply)


Examples...:
Code:

is some kind of SYN-FIN
(tcp[13] & 0x03) = 3

land attack
ip[12:4] = ip[16:4]

winnuke
(tcp[2:2] = 139) && (tcp[13] & 0x20 != 0) && (tcp[19] & 0x01 = 1)

things other than ACK/PSH
(tcp[13] & 0xe7) != 0

initial fragments
(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff = 0)

intervening fragments
(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff != 0)

terminal fragments
(ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)

has ip options
(ip[0] & 0x0f) != 5

ping o' death and its ilk
((ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)) && \
((65535 < (ip[2:2] + 8*(ip[6:2] & 0x1fff))


You can grab source information here:
http://packet.node.to/hacks/byte_offsets.txt

Enjoy.

Author: Sgt_BLocation: Chicago, IL US PostPosted: Thu Nov 04, 2004 7:59 pm    Post subject:
    ----
Good information, thanks for sharing your research.

Thanks for noting the source of the information as well.

Author: JaxGoughLocation: UK PostPosted: Thu Jan 06, 2005 4:03 am    Post subject: TCPDump filtering
    ----
Excellent work, would you mind if I used it to help/teach other people that I work with. You will, of course, be fully credited.

Once again, excellent work

Jax

Author: WhitetoqueLocation: Canada's National Capital Region PostPosted: Thu Jan 06, 2005 6:33 am    Post subject:
    ----
Great job!

I've passed the link to your posting on to my coworkers!

Cheers,

Ted

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Thu Jan 06, 2005 7:02 am    Post subject:
    ----
Hey that's some uber useful info, thanks a lot for posting it.

Combined with Don's tutorials I'm sure it'll aid a lot of people Smile

Author: noydLocation: Europe PostPosted: Wed Jan 12, 2005 6:34 pm    Post subject:
    ----
I thank all of you for your nice feedback on this. Smile

Use it the way you like, it's for all of you.

Razz



Networking/Security Forums -> Firewalls // Intrusion Detection - External Security


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group