Forum Discussion

Michael_Newton's avatar
Michael_Newton
Icon for Nimbostratus rankNimbostratus
May 30, 2019

Setting up a tcpdump filter

ALCON need an assist if you can.  I have a customer who want a TCPDUMP using a specific filter.

 

(ip.src == 192.102.67.73)

&& (tcp.srcport == 443)

&& (tcp.flags == 0x018)

&& (tls.record.content_type == 22)

&& (tls.handshake.type == 2)

&& !(tls.handshake.ciphersuite in {0xc02b 0xc023 0xc02c 0xc024 0xc02f 0xc030 0x1301 0x1302})

BIG-IP
F5 Cloud Services
security
  • Michael_Newton's avatar
    Michael_Newton
    Icon for Nimbostratus rankNimbostratus
    May 30, 2019

    Thanks team ; I was able to figure out the first there also . Its the tls part of the configuration I am having issue with.

     

    && (tls.record.content_type == 22)

    && (tls.handshake.type == 2)

    && !(tls.handshake.ciphersuite in {0xc02b 0xc023 0xc02c 0xc024 0xc02f 0xc030 0x1301 0x1302})

     

    I

    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for MVP rankMVP
      May 30, 2019

      WIRESHARK <-> TCPDUMP

      (ip.src == 192.102.67.73) <-> (src host 192.102.67.73)

      (tcp.srcport == 443 <-> (src port 443)

      (tcp.flags == 0x018) <-> (tcp[13] == 24)

      (ssl.record.content_type == 22) <-> (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)

      (ssl.handshake.type == 2) <-> (tcp[((tcp[12] & 0xf0) >> 2)+5] = 0x02)

       

      You cannot create the last line in tcpdump. Take into account tcpdump uses a deterministic matching. To do the last, you should use post-processing (scripting).

       

      I would appreciate if you rate my answer.

       

      KR,

      Dario.

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    May 30, 2019

    So what was the question? Or you simply want that translated into a tcpdump filter

     

     

    I'd recommend you look at 'man tcpdump' myself. Which would (probably) lead you to 'man pap-filter'. Or google for 'tcpdump filter'. However as a hint

     

    && (Logical And) becomes 'and' (Or you can leave it as && if you really want but replacing and, or with &&, || will require single quotes around the filter).

     

    ip.src == 192.102.67.73 becomes 'src 192.102.67.73'

     

    tcp.srcport == 443 becomes 'src port 443'

     

    tcp.flags = 0x018 becomes 'tcp[13] = 26'

     

    The others become a bit more complex... You'd really have to know the offsets into the packet to check them (I don't know them off hand sorry). However this may help

     

    http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session

     

    There's lots of useful pages available on the internet for tcpdump filters. e.g

     

    https://danielmiessler.com/study/tcpdump/