Packet Filtering: Catching the Cool Packets
Now let's say we're looking for a particular value in the TCP header - perhaps you are focusing in on a particular application that uses port 1214 by default. If you want to capture all traffic sent to this port number, you'll need to filter on this value at the correct offset.
Figure 8 shows the offsets for the TCP header. Again, we are defining the offsets based on the protocol offset value, not the packet offset value.
You'll want to build a bunch o' filters based on the TCP header - the following provides a quick listing to start with:
Protocol Offset | Value (in hexadecimal) |
---|---|
0x16/22d (Destination Port field) | 0x04BE (1214 decimal) Morpheus |
0x14/20d (Source Port field) | 0x04BE (1214 decimal) Morpheus |
0x16/22d (Destination Port field) | 0x18CA (6346 decimal) Gnutella |
0x14/20d (Source Port field) | 0x18CA (6346 decimal) Gnutella |
0x16/22d (Destination Port field) | 0x18CB (6347 decimal) Gnutella |
0x14/20d (Source Port field) | 0x18CB (6347 decimal) Gnutella |
0x22/34d (Window Size field) | 0x0000 - Window size of 0 |
Some of the more interesting filters are built based on the flags in the TCP header. The flags are shown in Figure 8 listed by their initials:
Initial | Flag |
---|---|
U | Urgent(look in the Urgent Pointer field next) |
A | Acknowledge (got that last data, thanks!) |
P | Push (this is important; don't buffer it) |
R | Reset (I don't know what you're saying; the port is closed) |
S | Synchronize (let's connect; here's my sequence number) |
F | Finish (I'm done; let's close the connection) |
Note | If you don't feel 'warm and fuzzy' with the TCP flags, go order "Guide to TCP/IP" that I wrote with Ed Tittel. This book provides a packet-level view of TCP/IP communications. You can order the book through podbooks.com or any bookstore. The ISBN number is 0-619035-30-7. -- Laura |
I'm going to get down and dirty into the TCP header fields in Chapter 4, "Pattern Filters," - awesome stuff!