Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Sun Dec 10, 2023 5:18 am


TCPdump & Wireshark tips & tricks - Different how-tos and some information I find interesting about the two most famous traffic analysis tools.

Author Message
mandrei99
Post  Post subject: Tcpdump filter packets with specified ip identification in ip header  |  Posted: Wed Jan 14, 2015 5:15 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 250

Offline
 

Tcpdump filter packets with specified ip identification in ip header

This article explains how to use tcpdump on a libcap formatted capture file to filter a specific ip id (not that I would like to go into how can a packet ID be predicted on an interface :) ).
Many network security engineers ave to deal with situations when a firewall, IPS system, proxy or even a router/switch drops a specific file (reasons are unnumbered) and when that packet is identified and the issue can be reproduced, it is essential to replay the packet in a network device running same software.

But in other situations, you can have the debugging or tracefile specifying the ID of the offending packet. If the packet capture is also available, it is easy output only that packet in tcpdump by using byte offset in specific protocol header.

To see how tcpdump filters work, we need to see first how the IPv4 header (internet header) looks like. RFC791.
Code:
    0                   1                   2                   3   
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Version|  IHL  |Type of Service|          Total Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         Identification        |Flags|      Fragment Offset    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Time to Live |    Protocol   |         Header Checksum       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Source Address                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Destination Address                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


So "identification" of an IP packet is contained in 4th and 5th bytes. So how do we express this in tcpdump offsett format ?

Tcpdump has built in keywords for specific protocol headers (not including payloads). In this case it is "ip".

So to filter the 4th and 5th bytes in IP header, the tcpdump filter used is: "ip[4:2]".
This means start at 4th byte and read two bytes. Same as tcp flags attribute in the tcp header is tcp[13] or tcp[13:1] (13th byte and read only one byte).

Let's see an example. Below file capture contains two packets with different ip identification values:
Code:
# tcpdump -nr /tmp/tcpdump.pcap -v
reading from file /tmp/tcpdump.pcap, link-type EN10MB (Ethernet)
capability mode sandbox enabled
23:58:50.090759 IP (tos 0x10, ttl 128, id 24332, offset 0, flags [DF], proto TCP (6), length 204)
    10.1.1.1.22 > 192.168.0.109.53989: Flags [P.], seq 3661036793:3661036957, ack 2364476704, win 4106, length 164
23:58:50.092647 IP (tos 0x0, ttl 127, id 30947, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.0.109.53989 > 10.1.1.1.22: Flags [.], cksum 0x9aad (correct), ack 164, win 251, length 0


To see the tcpdump filter in action:
Code:
# tcpdump -nr /tmp/tcpdump.pcap -v 'ip[4:2] == 24332'
reading from file /tmp/tcpdump.pcap, link-type EN10MB (Ethernet)
capability mode sandbox enabled
23:58:50.090759 IP (tos 0x10, ttl 128, id 24332, offset 0, flags [DF], proto TCP (6), length 204)
    10.1.1.1.22 > 192.168.0.109.53989: Flags [P.], seq 3661036793:3661036957, ack 2364476704, win 4106, length 164

Note that the identification value that tcpdump accepts is decimal value, not hex.





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "Tcpdump filter packets with specified ip identification in ip header"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. Tcpdump: How to to capture only IP packets with specific DSCP class in IP header

admin

0

16123

Wed Apr 10, 2013 8:59 am

admin View the latest post

There are no new unread posts for this topic. tcpdump -xx -XX - dump packet header and data in hex and ASCII format

admin

0

24179

Thu Mar 19, 2015 5:33 am

admin View the latest post

There are no new unread posts for this topic. Tcpdump - dump HTTP headers as ASCII and HEX

mandrei99

2

45142

Wed Jun 29, 2016 10:34 am

admin View the latest post

There are no new unread posts for this topic. Tcpdump: How to to capture only ICMP Fragmentation needed notifications

mandrei99

0

10594

Thu Aug 22, 2013 6:50 am

mandrei99 View the latest post

There are no new unread posts for this topic. Tcpdump: How to to capture only ICMP (ping) echo requests

mandrei99

0

307046

Thu Aug 22, 2013 6:39 am

mandrei99 View the latest post

There are no new unread posts for this topic. Tcpdump: How to to capture only ICMP (ping) echo replies

mandrei99

0

196

Thu Aug 22, 2013 6:41 am

mandrei99 View the latest post

There are no new unread posts for this topic. tcpdump: How to capture frames with specific source destination mac address

mandrei99

0

29430

Mon Jan 12, 2015 10:36 am

mandrei99 View the latest post

There are no new unread posts for this topic. Tcpdump icmp practical examples filtering on icmp type field and icmp code field

mandrei99

0

11658

Wed Jan 14, 2015 5:00 am

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO