Bitmask usage 101 - TCPdump bitmasking simplified

Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

Author: alt.don PostPosted: Sun Mar 23, 2003 9:03 pm    Post subject: Bitmask usage 101 - TCPdump bitmasking simplified
    ----
Bit Masking Simplified

The purpose of bit masking is to allow you to specify specific byte offsets in various protocols ie: parse a large tcpdump file looking for specific flag combinations ie: syn, syn/ack, psh/ack.

Where this would be of benefit is when for example we are looking over a large port 80 scan directed against our networks.. The sheer volume of syn packets plus possible reset packets makes looking over this tcpdump file a chore. One that could result in missing potentially critical packets due to analyst fatigue, and or eye strain. With a proper bit mask in place one can filter many megs of traffic and whittle it down to a very manageable size showing only psh/acks for example.

This will help in looking for specific flag combinations for specific ip addresses. In essence it you will save you time allowing you to work more efficiently.

The examples shown below relate only to the tcp header and not icmp, udp, or others. The same theory applies to all the protocols though. One just needs to see what byte offset one wants to filter, and then apply the same concepts described below.

The two IP addresses used here for example purposes will be

10.10.10.100 and 192.168.2.100

The examples shown below as well are done using tcpdump, hence the tcpdump style filters.

Code:
-nXvs 0 tcp and host 10.10.10.100 and (tcp[13] & 2 !=0)


The above noted breaks out as so;

a) nXvs 0 The n means dont convert ip addys to canonical names ie: leave them in # format. The X means print output in both hex and ascii. The v means to be verbose ie: print out all header info such as ip id numbers and the such. The s means the snaplength. This is the amount of the packet you want to look at. You can put a number after the s or leave it at 0 which will be your default setting.

b) tcp and host 10.10.10.100 This is where you are specifying that you want to see the tcp protocol and you are specifying as well the host address on which you are running this filter against.

c) and (tcp[13] & 2 !=0) This here is the meat of your bit mask. You are using and because you are specifying another argument. The ( tells tcpdump this is the beginning of an argument. The tcp denotes the tcp protocol, and [13] denotes the byte offset in the tcpheader. The & is a primitive allowing you to combine arguments. The 2 !=0 denotes the decimal value in the 13th byte that you want to see. More to follow on what decimal value equates to what flag in the next subpara. The !=0 means that the bit representing decimal value 2 should be set to 1 ie: the flag is set vice not being set which would be a binary value of 0. The ) denotes that this is the end of the argument.

d) As mentioned in subpara c above the 13th byte is composed of 8 bits. Each of these bits represents various flags. From the right of the byte the first two bits are assigned to error congestion ie: ecn and is not applicable to our bit masking purposes. These first two bits from the right have values of 128 and 64.

The following bit values from the right are:

Code:
URG - ACK - PSH - RST - SYN - FYN

 32    16     8    4      2     1


With the values set out above for the 13th byte of the tcp header you can now filter out which ever values you wish. Whether they be combinations of flags as will be shown below of simply one flag as shown above.

The below noted example now shows you how to specify several flag in your bit mask.

Code:
-nXvs 0 tcp and host 192.168.2.100 and ((tcp[13] & 16 !=0) and (tcp[13] & 8 !=0))


The above noted bit mask filter shows you that the psh and ack flags for 192.168.2.100 tcp traffic will be pulled for. We have two (( brackets now because we have added a second argument ie: (tcp[13] & 8 !=0) So due to this we now need a second bracket to close the argument. You will however get all psh/acks associated with 192.168.2.100. This may be undesirable if this addy has swept an entire subnet for example. If you want to further refine your search you can specify two specific hosts with the above mentioned bit mask as evidenced below.

Code:
-nXvs 0 tcp and host 10.10.10.100 and host 192.168.2.100 and ((tcp[13] & 16 !=0) and (tcp[13] & 8 !=0))


Or you can also do the above with specific ports in mind whether they be source of destination. Please see below.

Code:
-nXvs 0 tcp and host 10.10.10.100 and host 192.168.2.100 and dst port 80 and ((tcp[13] & 16 !=0) and (tcp[13] & 8 !=0))


I just realized that I failed to put in an example showing how you apply bitmasking against a binray file (ie: little endian) Please see the below noted for an example of how you would do it.

Code:

tcpdump -r file_name -nXvs 1514 tcp[13] = 18

Please note that the value of 18 equates to the decimal value of the flags you want to find. In this case 18 equals both Syn and Ack flags being set in the 13th byte in the TCP header.

The above several noted examples use standard tcpdump filters incorporated with bit masking. The amalgamation of the two will allow you to build complex filters thereby simplifying your task. There are ways of shortening the filters through the use of primitives, however these would be advanced filters. You would need to first be comfortable in the writing of the above before moving on to further complex filters. Should you have any further questions on the above or bit masking in general please feel free to see me or drop me a PM.

Shouts to Spyguy for some timely help on a command syntax that had me stumped, tween the two of us we fiugured it out


Last edited by alt.don on Sun May 02, 2004 2:26 am; edited 2 times in total

Author: YousofLocation: Australia PostPosted: Tue Dec 09, 2003 11:28 am    Post subject: Re: Bit masking 101 - TCPdump bitmasking simplified
    ----
alt.don wrote:
Bit Masking Simplified

Code:

tcpdump -r file_name -nXvs 1514 tcp[13] = 20

Please note that the value of 20 equates to the decimal value of the flags you want to find. In this case 20 equals both Syn and Ack flags being set in the 13th byte in the TCP header.


Just general note. I think the code should be something like that
Code:

tcpdump -F filter_name -r file_name -nXvs 1514
where filter_name contains:(accessed via vi)
tcp[13] & 2 !=0 and tcp[13] & 16 !=0
or you can use:
tcp[13] == 18 (instead of 20)


thats will filter the SYN and ACK packets

regards

Author: alt.don PostPosted: Tue Dec 09, 2003 4:08 pm    Post subject:
    ----
Quite right Yousof, and thanks for catching my typo. The == is not necessary actually as just one will do. As well there are many variations that you can do as mentioned. This is including doing up bitfilters ahead of time and accessing them file. Thanks for your input Smile

Author: delete852Location: Washington DC PostPosted: Tue Oct 19, 2004 10:36 pm    Post subject:
    ----
Hey, this is good, do you know of more papers that explain this in more detail?

Author: alt.don PostPosted: Tue Oct 19, 2004 10:57 pm    Post subject:
    ----
More detail Shocked Actually it is about the most detailed paper of its kind to be honest. Do you have other specific queries you have in mind? Lastly it all comes down to also knowing your core protocols as well.

Author: njanLocation: Scotland, UK PostPosted: Wed May 04, 2005 10:06 pm    Post subject:
    ----
Quote:
Lastly it all comes down to also knowing your core protocols as well.


Well put! This isn't much help to anyone who's restricted to finding information online (unless you can find an ebook to buy/download), but if anyone's reading this who's at a loss as to where to turn for information on packet analysis and/or Intrusion Detection, 'Network Intrusion Detection, third edition', which is written by Stephen Northcutt and Judy Novak is a spectacularly good read; worth reading for the explanation of TCP/IP it gives alone, and there is a *lot* in this book even for the seasoned professional (and in fact, even after half a dozen reads).

For anyone whose knowledge of TCP/IP is a little rusty the book is particularly good, as it goes into quite a lot of detail explaining TCP both theoretically and with reference to capturing data in tcpdump and snort (and with a lot of annotated packet dumps, case studies, and examples in the book) - the first 'Part' of the book, six chapters, is almost entirely a mix of practical and theoretical explanation of TCP/IP, and almost 100 pages long; the rest of my copy of the book (almost 400 pages) goes into great depth explaining Traffic Analysis (part two), Filters/Rules for Network Monitoring (part three), and 'Intrusion Infrastructure (part four), which, mysterious as it sounds, goes into analysis of a particular DoS attack, explains and explores Organisational issues and risk management, and examines responses (automated and manual), intrusion detection as a business service, and honeypots. The entire book is extremely well written and devastatingly detailed - each 'Part' is, on average, half a dozen chapters, each with several well-structured subsections.

To be honest, it's worth buying for the appendices alone, which are very very well written and detailed; the authors are some of SANS's finest, and this book is one of the best I've ever read (having given my wife about 12 hours of total peace and quiet on a long coach journey from Washington State to Utah).

http://www.amazon.com/exec/obidos/tg/detail/-/0735712654/qid=1115236223/sr=8-1/ref=sr_8_xs_ap_i1_xgl14/102-8636374-0653715?v=glance&s=books&n=507846
In case anyone's interested! If you want to find/order this book locally, the full title is "Network Intrusion Detection (3rd Edition)" by Stephen Northcutt, Judy Novak, published by Sams. ISBN is 0735712654.

Author: mmkhan PostPosted: Wed May 11, 2005 9:32 pm    Post subject:
    ----
Hi,
what i understood from this article and the ones (on www.onlamp.com and windowsecurity.com) that we can do bitmasking in ethereal with the help of bpf filters and bitmask filters can u recommend and tutorial which can explain bitmasking using ethreal.


Thanks

Author: Calzon0211 PostPosted: Fri Mar 11, 2011 12:42 pm    Post subject: Bitmask usage 101 - TCPdump bitmasking simplified
    ----
Thank you for the post alt.don,Can you please tell me what is the difference between or which is better TCPDUMP or WINDUMP.

Author: alt.don PostPosted: Thu Apr 21, 2011 9:26 pm    Post subject:
    ----
Hello,

TCPDUMP runs on Linux/UNIX/Mac O/S while windump runs on Microsoft Windows. They both do pretty much exactly the same thing.

Cheers,

Don

Author: alt.don PostPosted: Tue May 31, 2011 10:45 pm    Post subject:
    ----
Hello crates,

Welcome to the forum and you are quite welcome.

--Don



Networking/Security Forums -> Firewalls // Intrusion Detection - External Security


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group