• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Bitmask usage 101 - TCPdump bitmasking simplified

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Sun Mar 23, 2003 9:03 pm    Post subject: Bitmask usage 101 - TCPdump bitmasking simplified Reply with quote

Bit Masking Simplified

The purpose of bit masking is to allow you to specify specific byte offsets in various protocols ie: parse a large tcpdump file looking for specific flag combinations ie: syn, syn/ack, psh/ack.

Where this would be of benefit is when for example we are looking over a large port 80 scan directed against our networks.. The sheer volume of syn packets plus possible reset packets makes looking over this tcpdump file a chore. One that could result in missing potentially critical packets due to analyst fatigue, and or eye strain. With a proper bit mask in place one can filter many megs of traffic and whittle it down to a very manageable size showing only psh/acks for example.

This will help in looking for specific flag combinations for specific ip addresses. In essence it you will save you time allowing you to work more efficiently.

The examples shown below relate only to the tcp header and not icmp, udp, or others. The same theory applies to all the protocols though. One just needs to see what byte offset one wants to filter, and then apply the same concepts described below.

The two IP addresses used here for example purposes will be

10.10.10.100 and 192.168.2.100

The examples shown below as well are done using tcpdump, hence the tcpdump style filters.

Code:
-nXvs 0 tcp and host 10.10.10.100 and (tcp[13] & 2 !=0)


The above noted breaks out as so;

a) nXvs 0 The n means dont convert ip addys to canonical names ie: leave them in # format. The X means print output in both hex and ascii. The v means to be verbose ie: print out all header info such as ip id numbers and the such. The s means the snaplength. This is the amount of the packet you want to look at. You can put a number after the s or leave it at 0 which will be your default setting.

b) tcp and host 10.10.10.100 This is where you are specifying that you want to see the tcp protocol and you are specifying as well the host address on which you are running this filter against.

c) and (tcp[13] & 2 !=0) This here is the meat of your bit mask. You are using and because you are specifying another argument. The ( tells tcpdump this is the beginning of an argument. The tcp denotes the tcp protocol, and [13] denotes the byte offset in the tcpheader. The & is a primitive allowing you to combine arguments. The 2 !=0 denotes the decimal value in the 13th byte that you want to see. More to follow on what decimal value equates to what flag in the next subpara. The !=0 means that the bit representing decimal value 2 should be set to 1 ie: the flag is set vice not being set which would be a binary value of 0. The ) denotes that this is the end of the argument.

d) As mentioned in subpara c above the 13th byte is composed of 8 bits. Each of these bits represents various flags. From the right of the byte the first two bits are assigned to error congestion ie: ecn and is not applicable to our bit masking purposes. These first two bits from the right have values of 128 and 64.

The following bit values from the right are:

Code:
URG - ACK - PSH - RST - SYN - FYN

 32    16     8    4      2     1


With the values set out above for the 13th byte of the tcp header you can now filter out which ever values you wish. Whether they be combinations of flags as will be shown below of simply one flag as shown above.

The below noted example now shows you how to specify several flag in your bit mask.

Code:
-nXvs 0 tcp and host 192.168.2.100 and ((tcp[13] & 16 !=0) and (tcp[13] & 8 !=0))


The above noted bit mask filter shows you that the psh and ack flags for 192.168.2.100 tcp traffic will be pulled for. We have two (( brackets now because we have added a second argument ie: (tcp[13] & 8 !=0) So due to this we now need a second bracket to close the argument. You will however get all psh/acks associated with 192.168.2.100. This may be undesirable if this addy has swept an entire subnet for example. If you want to further refine your search you can specify two specific hosts with the above mentioned bit mask as evidenced below.

Code:
-nXvs 0 tcp and host 10.10.10.100 and host 192.168.2.100 and ((tcp[13] & 16 !=0) and (tcp[13] & 8 !=0))


Or you can also do the above with specific ports in mind whether they be source of destination. Please see below.

Code:
-nXvs 0 tcp and host 10.10.10.100 and host 192.168.2.100 and dst port 80 and ((tcp[13] & 16 !=0) and (tcp[13] & 8 !=0))


I just realized that I failed to put in an example showing how you apply bitmasking against a binray file (ie: little endian) Please see the below noted for an example of how you would do it.

Code:

tcpdump -r file_name -nXvs 1514 tcp[13] = 18

Please note that the value of 18 equates to the decimal value of the flags you want to find. In this case 18 equals both Syn and Ack flags being set in the 13th byte in the TCP header.

The above several noted examples use standard tcpdump filters incorporated with bit masking. The amalgamation of the two will allow you to build complex filters thereby simplifying your task. There are ways of shortening the filters through the use of primitives, however these would be advanced filters. You would need to first be comfortable in the writing of the above before moving on to further complex filters. Should you have any further questions on the above or bit masking in general please feel free to see me or drop me a PM.

Shouts to Spyguy for some timely help on a command syntax that had me stumped, tween the two of us we fiugured it out


Last edited by alt.don on Sun May 02, 2004 2:26 am; edited 2 times in total
Back to top
View user's profile Send private message Visit poster's website
Yousof
Just Arrived
Just Arrived


Joined: 06 Dec 2003
Posts: 0
Location: Australia

Offline

PostPosted: Tue Dec 09, 2003 11:28 am    Post subject: Re: Bit masking 101 - TCPdump bitmasking simplified Reply with quote

alt.don wrote:
Bit Masking Simplified

Code:

tcpdump -r file_name -nXvs 1514 tcp[13] = 20

Please note that the value of 20 equates to the decimal value of the flags you want to find. In this case 20 equals both Syn and Ack flags being set in the 13th byte in the TCP header.


Just general note. I think the code should be something like that
Code:

tcpdump -F filter_name -r file_name -nXvs 1514
where filter_name contains:(accessed via vi)
tcp[13] & 2 !=0 and tcp[13] & 16 !=0
or you can use:
tcp[13] == 18 (instead of 20)


thats will filter the SYN and ACK packets

regards
Back to top
View user's profile Send private message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Tue Dec 09, 2003 4:08 pm    Post subject: Reply with quote

Quite right Yousof, and thanks for catching my typo. The == is not necessary actually as just one will do. As well there are many variations that you can do as mentioned. This is including doing up bitfilters ahead of time and accessing them file. Thanks for your input Smile
Back to top
View user's profile Send private message Visit poster's website
delete852
Just Arrived
Just Arrived


Joined: 19 Nov 2002
Posts: 4
Location: Washington DC

Offline

PostPosted: Tue Oct 19, 2004 10:36 pm    Post subject: Reply with quote

Hey, this is good, do you know of more papers that explain this in more detail?
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Tue Oct 19, 2004 10:57 pm    Post subject: Reply with quote

More detail Shocked Actually it is about the most detailed paper of its kind to be honest. Do you have other specific queries you have in mind? Lastly it all comes down to also knowing your core protocols as well.
Back to top
View user's profile Send private message Visit poster's website
njan
Trusted SF Member
Trusted SF Member


Joined: 02 May 2005
Posts: 9
Location: Scotland, UK

Offline

PostPosted: Wed May 04, 2005 10:06 pm    Post subject: Reply with quote

Quote:
Lastly it all comes down to also knowing your core protocols as well.


Well put! This isn't much help to anyone who's restricted to finding information online (unless you can find an ebook to buy/download), but if anyone's reading this who's at a loss as to where to turn for information on packet analysis and/or Intrusion Detection, 'Network Intrusion Detection, third edition', which is written by Stephen Northcutt and Judy Novak is a spectacularly good read; worth reading for the explanation of TCP/IP it gives alone, and there is a *lot* in this book even for the seasoned professional (and in fact, even after half a dozen reads).

For anyone whose knowledge of TCP/IP is a little rusty the book is particularly good, as it goes into quite a lot of detail explaining TCP both theoretically and with reference to capturing data in tcpdump and snort (and with a lot of annotated packet dumps, case studies, and examples in the book) - the first 'Part' of the book, six chapters, is almost entirely a mix of practical and theoretical explanation of TCP/IP, and almost 100 pages long; the rest of my copy of the book (almost 400 pages) goes into great depth explaining Traffic Analysis (part two), Filters/Rules for Network Monitoring (part three), and 'Intrusion Infrastructure (part four), which, mysterious as it sounds, goes into analysis of a particular DoS attack, explains and explores Organisational issues and risk management, and examines responses (automated and manual), intrusion detection as a business service, and honeypots. The entire book is extremely well written and devastatingly detailed - each 'Part' is, on average, half a dozen chapters, each with several well-structured subsections.

To be honest, it's worth buying for the appendices alone, which are very very well written and detailed; the authors are some of SANS's finest, and this book is one of the best I've ever read (having given my wife about 12 hours of total peace and quiet on a long coach journey from Washington State to Utah).

http://www.amazon.com/exec/obidos/tg/detail/-/0735712654/qid=1115236223/sr=8-1/ref=sr_8_xs_ap_i1_xgl14/102-8636374-0653715?v=glance&s=books&n=507846
In case anyone's interested! If you want to find/order this book locally, the full title is "Network Intrusion Detection (3rd Edition)" by Stephen Northcutt, Judy Novak, published by Sams. ISBN is 0735712654.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
mmkhan
Just Arrived
Just Arrived


Joined: 11 Jul 2004
Posts: 1


Offline

PostPosted: Wed May 11, 2005 9:32 pm    Post subject: Reply with quote

Hi,
what i understood from this article and the ones (on www.onlamp.com and windowsecurity.com) that we can do bitmasking in ethereal with the help of bpf filters and bitmask filters can u recommend and tutorial which can explain bitmasking using ethreal.


Thanks
Back to top
View user's profile Send private message
Calzon0211
Just Arrived
Just Arrived


Joined: 02 Mar 2011
Posts: 0


Offline

PostPosted: Fri Mar 11, 2011 12:42 pm    Post subject: Bitmask usage 101 - TCPdump bitmasking simplified Reply with quote

Thank you for the post alt.don,Can you please tell me what is the difference between or which is better TCPDUMP or WINDUMP.
Back to top
View user's profile Send private message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Thu Apr 21, 2011 9:26 pm    Post subject: Reply with quote

Hello,

TCPDUMP runs on Linux/UNIX/Mac O/S while windump runs on Microsoft Windows. They both do pretty much exactly the same thing.

Cheers,

Don
Back to top
View user's profile Send private message Visit poster's website
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Tue May 31, 2011 10:45 pm    Post subject: Reply with quote

Hello crates,

Welcome to the forum and you are quite welcome.

--Don
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register