Four years ago I did a second post on Understanding Tcpdump's -d Option, showing how you can using the -d option to understand how Berkeley Packet Filter syntax works.
Recently my colleagues and I encountered a problem where we were monitoring traffic on a tap, but the traffic contained traffic with and without 802.1q VLAN tags. We wanted to create a BPF that would catch traffic whether or not it had VLAN tags. It turns out there is a difference between these two BPFs:
ip or vlan
is not the same as
vlan or ip
The first accomplishes our goal, but the second does not.
To understand why, I used Tcpdump's -d option.
$ tcpdump -d -n -r sample.pcap ip or vlan
reading from file sample.pcap, link-type EN10MB (Ethernet)
(000) ldh [12]
(001) jeq #0x800 jt 3 jf 2
(002) jeq #0x8100 jt 3 jf 4
(003) ret #65535
(004) ret #0
That looks right. Load the half word at offset 12. If it's the IP Ethertype, you get the whole packet. If it's not IP, go to the next instruction. If it's a 802.1Q VLAN tag, again you get the whole packet. Otherwise, return nothing.
This is the other option.
$ tcpdump -d -n -r sample.pcap vlan or ip
reading from file sample.pcap, link-type EN10MB (Ethernet)
(000) ldh [12]
(001) jeq #0x8100 jt 4 jf 2
(002) ldh [16]
(003) jeq #0x800 jt 4 jf 5
(004) ret #65535
(005) ret #0
That doesn't work. Load the half word at offset 12. If it's a 802.1Q VLAN tag, you get the whole packet. If it's not a 802.1Q VLAN tag, load the half word at offset 16. If that half word is an IP Ethertype (which it won't be), you get the whole packet. Otherwise, return nothing.
For an example of how you would combine a host and port filter with this syntax, see the following:
tcpdump -n -r ip.pcap \(ip and host 1.2.3.4 and port 80\) or \(vlan and host 1.2.3.4 and port 80\)
You might see this new option appear in Sguil CVS soon.
Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.
0 komentar:
Posting Komentar