ISC reader Crist provided a simpler way to write the above filter by combining all the octets of the source and destination IP address like this: (ip > 0xc0a81906) & (ip 0xc0a81906) and (ip 0xc0a81906) and (ip < 0xc0a81923) and tcp = 0x02)' This same filter could easily be expended to include search for a specific port instead of any ports to further narrow the search. Tcp = 0x02 -> If there is a successful match, only print those with SYN packets Ip Last octet of the IP address is less than 35 Ip = 0xc0a8 -> First two octets of the IP address is 192.168 Ip > 0x06 -> Last octet of the IP address is greater than 6 Ip = 0x19 -> Third octet of the IP address is 25 Tcpdump -nr filename '((ip = 0xc0a8 and ip = 0x19 and ip > 0x06) and (ip = 0xc0a8 and ip = 0x19 and ip First two octets of the IP address is 192.168 I used this filter for addresses located in the range 192.168.25.6 to 192.168.25.35. The following example illustrates how to find SYN packets directed to natted addresses where an attempt was made to connect or scan a service natted to an internal resource. 23, /24) with a libpcap macro filter but when it comes to search for an unusual list of addresses such as 192.168.25.6 to 192.168.25.35, there is no simple macro to easily do it. It is quite easy to filter for a CIDR range (i.e. This week, I received a request to search for a range of destination addresses that cannot easily done using libpcap conventional macro filters but can be done using an IP protocol filter.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |