Packet Filtering: Catching the Cool Packets


Now let's say we're looking for a particular value in the TCP header - perhaps you are focusing in on a particular application that uses port 1214 by default. If you want to capture all traffic sent to this port number, you'll need to filter on this value at the correct offset.

Figure 8 shows the offsets for the TCP header. Again, we are defining the offsets based on the protocol offset value, not the packet offset value.

Figure 8: The TCP header is much more complex than the Ethernet or IP header. Whee!

You'll want to build a bunch o' filters based on the TCP header - the following provides a quick listing to start with:

Protocol Offset

Value (in hexadecimal)

0x16/22d (Destination Port field)

0x04BE (1214 decimal) Morpheus

0x14/20d (Source Port field)

0x04BE (1214 decimal) Morpheus

0x16/22d (Destination Port field)

0x18CA (6346 decimal) Gnutella

0x14/20d (Source Port field)

0x18CA (6346 decimal) Gnutella

0x16/22d (Destination Port field)

0x18CB (6347 decimal) Gnutella

0x14/20d (Source Port field)

0x18CB (6347 decimal) Gnutella

0x22/34d (Window Size field)

0x0000 - Window size of 0

Some of the more interesting filters are built based on the flags in the TCP header. The flags are shown in Figure 8 listed by their initials:

Initial

Flag

U

Urgent(look in the Urgent Pointer field next)

A

Acknowledge (got that last data, thanks!)

P

Push (this is important; don't buffer it)

R

Reset (I don't know what you're saying; the port is closed)

S

Synchronize (let's connect; here's my sequence number)

F

Finish (I'm done; let's close the connection)

Note 

If you don't feel 'warm and fuzzy' with the TCP flags, go order "Guide to TCP/IP" that I wrote with Ed Tittel. This book provides a packet-level view of TCP/IP communications. You can order the book through podbooks.com or any bookstore. The ISBN number is 0-619035-30-7. -- Laura

I'm going to get down and dirty into the TCP header fields in Chapter 4, "Pattern Filters," - awesome stuff!


Категории