In an earlier post, I covered some basic and a few advanced techniques that can be done with tcpdump and bpf. Today I would like to expand upon those ideas just a little more.

Recently I was tasked with examining some traffic captures, looking for some specific UDP traffic. In this case, UDP traffic with a source port greater than or equal to 1024 and a destination port equal to 80. So how did I achieve this task with tcpdump?

tcpdump -n(r or i) <pcap.file or interface> ‘(udp[0:2] >= 1024 and udp[2:2]=80)’ -s0

So what does all that really mean? It’s actually pretty simple. The four most useful bpf statments to remember in regards to udp traffic are as follows:

udp[0:2] = source port
udp[2:2] = destination port
udp[4:2] = datagram length
udp[6:2] = UDP checksum

So in this example, I am simply asking tcpdump to show me udp traffic with a source port greater than or equal to 1024 and a destination port equal to port 80 and set the snaplen to 0 (show the entire packet contents).

This concludes another look into the endless possibilities that can be achieved with tcpdump and a good knowledge of berkly packet filters. Have fun with this, and nerd it up.

Just a real quick tip today, while I get back into the swing of things, post-moving.

A friend of mine showed me a very useful utility called mergecap, which is included with the wireshark package (formally known as Ethereal). This is one of those “so simple it hurts” tools, that I wish I had known about years ago. So what is so special about mergecap? Well if you’ve ever had to deal with multiple capture files, you know what a pain it can be to search through them all. This is where mergecap comes in handy.

There are a few options discussed in the man page, but in it’s simplest form, from the command line:

mergecap *.pcap -w /path/to/output/dir/name.pcap

Now, you simply wait a few seconds and you will have a properly merged pcap file. I tested this method on a few pcap files gigabytes in size and mergecap only took about 10 seconds to do its job.

If you are like me, and do not have X or a monitor installed on your sniffing box, I suggest installing tethereal, which is the command line only version of the wireshark package. Mergecap is included in the wireshark-common portion of the required packages.

Enjoy this short little tip and as always have fun nerding it up.

Today, I would like to introduce you to some of tcpdump’s advanced options. If you’ve ever used tcpdump you’ve probably captured traffic off a network interface, or examined the contents of an existing pcap file. In it’s most basic use (sudo tcpdump), all visible network traffic is dumped off the primary interface to stdout. While this is the making of a great screen saver, it’s not very useful. This is the moment at which you began reading the man page, and discovered Berkley Packet Filters (bpf). BPF statements can range from something as broad as # tcpdump ‘port 80′ or # tcpdump ‘host and/or host’. There are times where a very specific level of detail is needed. This is where Berkley Packet Filters become your best friend.