In an earlier post, I covered some basic and a few advanced techniques that can be done with tcpdump and bpf. Today I would like to expand upon those ideas just a little more.

Recently I was tasked with examining some traffic captures, looking for some specific UDP traffic. In this case, UDP traffic with a source port greater than or equal to 1024 and a destination port equal to 80. So how did I achieve this task with tcpdump?

tcpdump -n(r or i) <pcap.file or interface> ‘(udp[0:2] >= 1024 and udp[2:2]=80)’ -s0

So what does all that really mean? It’s actually pretty simple. The four most useful bpf statments to remember in regards to udp traffic are as follows:

udp[0:2] = source port
udp[2:2] = destination port
udp[4:2] = datagram length
udp[6:2] = UDP checksum

So in this example, I am simply asking tcpdump to show me udp traffic with a source port greater than or equal to 1024 and a destination port equal to port 80 and set the snaplen to 0 (show the entire packet contents).

This concludes another look into the endless possibilities that can be achieved with tcpdump and a good knowledge of berkly packet filters. Have fun with this, and nerd it up.

This entry was posted on Saturday, February 9th, 2008 at 12:57 pm and is filed under geek stuff, tcpdump. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.