In an earlier post, I covered some basic and a few advanced techniques that can be done with tcpdump and bpf. Today I would like to expand upon those ideas just a little more.

Recently I was tasked with examining some traffic captures, looking for some specific UDP traffic. In this case, UDP traffic with a source port greater than or equal to 1024 and a destination port equal to 80. So how did I achieve this task with tcpdump?

tcpdump -n(r or i) <pcap.file or interface> ‘(udp[0:2] >= 1024 and udp[2:2]=80)’ -s0

So what does all that really mean? It’s actually pretty simple. The four most useful bpf statments to remember in regards to udp traffic are as follows:

udp[0:2] = source port
udp[2:2] = destination port
udp[4:2] = datagram length
udp[6:2] = UDP checksum

So in this example, I am simply asking tcpdump to show me udp traffic with a source port greater than or equal to 1024 and a destination port equal to port 80 and set the snaplen to 0 (show the entire packet contents).

This concludes another look into the endless possibilities that can be achieved with tcpdump and a good knowledge of berkly packet filters. Have fun with this, and nerd it up.

Just a real quick tip today, while I get back into the swing of things, post-moving.

A friend of mine showed me a very useful utility called mergecap, which is included with the wireshark package (formally known as Ethereal). This is one of those “so simple it hurts” tools, that I wish I had known about years ago. So what is so special about mergecap? Well if you’ve ever had to deal with multiple capture files, you know what a pain it can be to search through them all. This is where mergecap comes in handy.

There are a few options discussed in the man page, but in it’s simplest form, from the command line:

mergecap *.pcap -w /path/to/output/dir/name.pcap

Now, you simply wait a few seconds and you will have a properly merged pcap file. I tested this method on a few pcap files gigabytes in size and mergecap only took about 10 seconds to do its job.

If you are like me, and do not have X or a monitor installed on your sniffing box, I suggest installing tethereal, which is the command line only version of the wireshark package. Mergecap is included in the wireshark-common portion of the required packages.

Enjoy this short little tip and as always have fun nerding it up.