Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Setting up a tcpdump filter

Michael_Newton
Nimbostratus
Nimbostratus

‎30-May-2019 11:45

ALCON need an assist if you can.  I have a customer who want a TCPDUMP using a specific filter.

 

(ip.src == 192.102.67.73)

&& (tcp.srcport == 443)

&& (tcp.flags == 0x018)

&& (tls.record.content_type == 22)

&& (tls.handshake.type == 2)

&& !(tls.handshake.ciphersuite in {0xc02b 0xc023 0xc02c 0xc024 0xc02f 0xc030 0x1301 0x1302})

Labels:
0 Kudos
4 REPLIES 4

Dario_Garrido
MVP
MVP

‎30-May-2019 14:27

There exists a great doc to deal with that

REF - https://support.f5.com/csp/article/K2289

 

KR,

Dario.

Regards,
Dario.
0 Kudos

Dario_Garrido
MVP
MVP
In response to Dario_Garrido

‎30-May-2019 15:42

WIRESHARK <-> TCPDUMP

(ip.src == 192.102.67.73) <-> (src host 192.102.67.73)

(tcp.srcport == 443 <-> (src port 443)

(tcp.flags == 0x018) <-> (tcp[13] == 24)

(ssl.record.content_type == 22) <-> (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)

(ssl.handshake.type == 2) <-> (tcp[((tcp[12] & 0xf0) >> 2)+5] = 0x02)

 

You cannot create the last line in tcpdump. Take into account tcpdump uses a deterministic matching. To do the last, you should use post-processing (scripting).

 

I would appreciate if you rate my answer.

 

KR,

Dario.

Regards,
Dario.
0 Kudos

Hamish
Cirrocumulus
Cirrocumulus

‎30-May-2019 14:37

So what was the question? Or you simply want that translated into a tcpdump filter

 

 

I'd recommend you look at 'man tcpdump' myself. Which would (probably) lead you to 'man pap-filter'. Or google for 'tcpdump filter'. However as a hint

 

&& (Logical And) becomes 'and' (Or you can leave it as && if you really want but replacing and, or with &&, || will require single quotes around the filter).

 

ip.src == 192.102.67.73 becomes 'src 192.102.67.73'

 

tcp.srcport == 443 becomes 'src port 443'

 

tcp.flags = 0x018 becomes 'tcp[13] = 26'

 

The others become a bit more complex... You'd really have to know the offsets into the packet to check them (I don't know them off hand sorry). However this may help

 

http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session

 

There's lots of useful pages available on the internet for tcpdump filters. e.g

 

https://danielmiessler.com/study/tcpdump/

 

0 Kudos

Michael_Newton
Nimbostratus
Nimbostratus

‎30-May-2019 15:02

Thanks team ; I was able to figure out the first there also . Its the tls part of the configuration I am having issue with.

 

&& (tls.record.content_type == 22)

&& (tls.handshake.type == 2)

&& !(tls.handshake.ciphersuite in {0xc02b 0xc023 0xc02c 0xc024 0xc02f 0xc030 0x1301 0x1302})

 

I

Copyright © 2023 Khoros, LLC