Packet Filtering: Catching the Cool Packets
Appendix A contains the answers to this chapter test. Use whatever means possible to identify the values and offsets required to build the following filter patterns.
-
Fill out the fields to build a pattern that would catch all FTP STOR commands.
-
Fill out the fields to build a pattern that would catch all DNS queries for www.antionline.com.
-
Fill out the fields to build a pattern that would catch the first two packets of the TCP handshake process (refer to “Analysis and Troubleshooting TCP/IP Networks” or the TCP RFC if required).
-
Fill out the fields to build a pattern that would catch all IPX traffic that comes from a hardware address 0x00001C342A33. These IPX packets use the Ethernet II frame type.
-
Fill out the fields to build a pattern that would catch all ICMP Destination Unreachable/Host Unreachable packets.
-
Fill out the fields to build a pattern that would catch all HTTP traffic that contains the “GET /images/” command.
-
You are working on a system that uses the IP address 130.57.77.5 with the subnet mask 255.255.252.0. Fill out the fields to build a pattern that would catch all traffic to or from devices in the same subnet as 130.57.77.5.
-
TCP Resets can be an indication of a misconfigured network service or reconnaissance process. Fill out the fields to build a pattern that would catch all TCP Reset packets.
-
You are working on a network that supports Unix and Net- Ware hosts. Fill out the fields to build a pattern set that would catch all IP traffic except the NetWare IP traffic (port 524).
Write down the boolean equation you would use to catch these packets:
_____________________________________________
-
Put together several other boolean equations that could be used to catch interesting traffic on your network:
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________