Tcpdump filter packets with specified ip identification in ip header

This article explains how to use tcpdump on a libcap formatted capture file to filter a specific ip id (not that I would like to go into how can a packet ID be predicted on an interface

).
Many network security engineers ave to deal with situations when a firewall, IPS system, proxy or even a router/switch drops a specific file (reasons are unnumbered) and when that packet is identified and the issue can be reproduced, it is essential to replay the packet in a network device running same software.

But in other situations, you can have the debugging or tracefile specifying the ID of the offending packet. If the packet capture is also available, it is easy output only that packet in tcpdump by using byte offset in specific protocol header.

To see how tcpdump filters work, we need to see first how the IPv4 header (internet header) looks like. RFC791.

Code:

    0                   1                   2                   3   
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Version|  IHL  |Type of Service|          Total Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         Identification        |Flags|      Fragment Offset    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Time to Live |    Protocol   |         Header Checksum       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Source Address                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Destination Address                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

So "identification" of an IP packet is contained in 4th and 5th bytes. So how do we express this in tcpdump offsett format ?

Tcpdump has built in keywords for specific protocol headers (not including payloads). In this case it is "ip".

So to filter the 4th and 5th bytes in IP header, the tcpdump filter used is: "ip[4:2]".
This means start at 4th byte and read two bytes. Same as tcp flags attribute in the tcp header is tcp[13] or tcp[13:1] (13th byte and read only one byte).

Let's see an example. Below file capture contains two packets with different ip identification values:

Code:

# tcpdump -nr /tmp/tcpdump.pcap -v
reading from file /tmp/tcpdump.pcap, link-type EN10MB (Ethernet)
capability mode sandbox enabled
23:58:50.090759 IP (tos 0x10, ttl 128, id 24332, offset 0, flags [DF], proto TCP (6), length 204)
    10.1.1.1.22 > 192.168.0.109.53989: Flags [P.], seq 3661036793:3661036957, ack 2364476704, win 4106, length 164
23:58:50.092647 IP (tos 0x0, ttl 127, id 30947, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.0.109.53989 > 10.1.1.1.22: Flags [.], cksum 0x9aad (correct), ack 164, win 251, length 0

To see the tcpdump filter in action:

Code:

# tcpdump -nr /tmp/tcpdump.pcap -v 'ip[4:2] == 24332' 
reading from file /tmp/tcpdump.pcap, link-type EN10MB (Ethernet)
capability mode sandbox enabled
23:58:50.090759 IP (tos 0x10, ttl 128, id 24332, offset 0, flags [DF], proto TCP (6), length 204)
    10.1.1.1.22 > 192.168.0.109.53989: Flags [P.], seq 3661036793:3661036957, ack 2364476704, win 4106, length 164

Note that the identification value that tcpdump accepts is decimal value, not hex.

Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

TCPdump & Wireshark tips & tricks - Different how-tos and some information I find interesting about the two most famous traffic analysis tools.

Tcpdump filter packets with specified ip identification in ip header

Tcpdump filter packets with specified ip identification in ip header