Packet Filtering: Catching the Cool Packets


If you are not on the same network as Fred, but you can see his traffic, you'll need to filter on Fred's IP address[15]. That means you now need to look into the IP header to set the filter. Figure 7 shows the IP header structure with its offsets listed in hexadecimal and decimal.

Figure 7: We’ll start using the Protocol offset value now that we’re above the data link layer.

Note 

We are now building filters based on the protocol offset instead of the packet offset. -- Laura

If you only run IP over Ethernet, you could build this filter using the Packet offset and add 14d (or 0x0E) to all the values shown above (the Ethernet II header is 14 bytes long). This means the IP Version field would be at offset 0x0E/14d.

Using the offsets shown in Figure 7, consider the filters you could build based on the Protocol field in the IP header.

Protocol Offset

Value (in hexadecimal)

0x09/9d (Protocol field)

0x1=Internet Control Message Protocol (ICMP)

0x09/9d (Protocol field)

0x2=Internet Group Management

Protocol (IGMP)

0x09/9d (Protocol field)

0x6=TCP0x09/9d (Protocol field)

0x11=UDP (17 decimal)

Note 

Check out http://www.iana.org/assignments/protocolnumbers for the list of assigned protocol numbers for TCP/IP. Bookmark the IANA website - you'll visit it often! -- Laura

Besides building filters on the offsets shown in Figure 7, you may also want to dig further into the packet and build offsets on fields that do not end on a simple even or odd byte offset. For example, look at the Flags or Fragment Offset field in the IP header. There may be a time when you want to build a filter to check for all fragmented packets on your network. Check out Chapter 4 "Pattern Filters" for the details on building a filter to look for fragments on your network.

[15]Remember that routers strip off and reapply the Ethernet (or Token Ring, or whatever) header as they forward packets. If you are the other side of a router from Fred, you'll never see his hardware address in the source address field of the Ethernet header -- you will see the router's hardware address instead.


Категории