wireshark学习总结（2）---字节偏移过滤器

在设计wiresharek的抓包过滤器时，会用到IP、TCP、UPD、ICMP等协议的包头部中的属性字段值，下面的链接总结了此方面的内容，可以作为参考。

（1）母链接：http://www.packetlevel.ch/html/tcpdumpf.html

（2）子链接：http://www.packetlevel.ch/html/txt/byte_offsets.txt

下面举几个通过使用IP的包头部的属性字段设计的抓包过滤器：

（1）抓取特定长度（如62字节）的IP数据包

ip[2:2] == 62

说明：其中62表示并指定IP包头中的“IP包总长度”字段值

（2）抓取特定TTL（生存时间）的IP数据包

ip[8] == <TTL_value> 

说明：其中TTL_value表示IP包头中的“TTL”字段值

（3）抓取特定协议类型的IP数据包

ip[9] == 6

说明：其中6表示IP包头中的“协议类型”字段值为6，在数据包IP头部中会显示为：Protocol :  TCP (6)，即抓取TCP协议的数据包

1表示ICMP、17表示UDP、6表示TCP等等。

（4）抓取源IP地址和目标IP地址相同的IP数据包

ip[12:4] == ip[16:4]

此部分的原理见下图所示：

下面是母链接给出协议头部中所有属性字段的byte_offset内容获取方法：

common FiltersipIParparptcptcpudpudpicmpicmpip multicastIP Multicastether multicastEthernet MulticastIP Filtersip[0] & 0x0flow nibble: header length in 4octet words. should be 5ip[1]type of service/QoS/DiffServip[2:2]total length of datagram in octetsip[4:2]IP ID numberip[6] & 0x80reserved bit (possibly used for ECN)ip[6] & 0x40DF bitip[6] & 0x20MF bitip[6:2] & 0x1ffffragment offset (number of 8octet blocks)ip[8]ttlip[9]protocolip[10:2]header checksumip[12:4]source IPip[16:4]destination IPSamples(ip[12:4] = ip[16:4])Src IP = Dest IP (land attack)ip[0] & 0xf0high nibble: IP version. almost always 4(ip[0] & 0xf0 != 0x40)IP versions !=4(ip[0:1] & 0x0f > 5)IP with options set(ip[19] = 0xff)Broadcasts to x.x.x.255(ip[19] = 0x00)Broadcasts to x.x.x.0(ip and ip[1] & 0xfc == 0xb8)search for EF in DSCP(ip and ip[1] & 0xfc == 0x28)search for AF11 in DSCP(ip and ip[1] & 0xfc != 0x00)search for DCSP Packets != 0(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff = 0)initial fragments(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff != 0)intervening fragments(ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)terminal fragments(ip[0] & 0x0f) != 5has ip options (or is truncated, or is just some sort of freak...)ip[8] < 5short TTL valueip[6] = 32MF setiip[2:2] > 999IP Packet greater then 999ICMP Filtersicmp[0]typeicmp[1]codeicmp[2:2]checksumSamplesicmp[0]=0x#all Packets with ICMP Typeicmp[0]=0x# and icmp[1]=0x#all Packets with ICMP Type X and Code = Yicmp[0]=8ICMP Request Messagesicmp[8]=0ICMP Request Replayicmp[0]=0x11ICMP Address Mask Requesticmp[0]=0x12ICMP Address Mask Replayicmp[0]=11 and icmp[1]=0ICMP Time Exeedeticmp[0]=3 and icmp[1]=4ICMP Time Exeedeticmp[0]=8 and ip[2:2] > 64Large ICMP PacketsTCP Filterstcp[0:2]source porttcp[2:2]destination porttcp[4:4]sequence numbertcp[8:4]ack numbertcp[12]header lengthtcp[13]tcp flags---- --S-       0000 0010 = 0x02   normal syn---A --S-       0001 0010 = 0x12   normal syn-ack---A ----       0001 0000 = 0x10   normal ack--UA P---       0011 1000 = 0x38   psh-urg-ack. interactive stuff like ssh---A -R--       0001 0100 = 0x14   rst-ack. it happens.---- --SF       0000 0011 = 0x03   syn-fin scan--U- P--F       0010 1001 = 0x29   urg-psh-fin. nmap fingerprint packet-Y-- ----       0100 0000 = 0x40   anything >= 0x40 has a reserved bit setXY-- ----       1100 0000 = 0xC0   both reserved bits setXYUA PRSF       1111 1111 = 0xFF   FULL_XMAS scantcp[14:2]window sizetcp[16:2]checksumttcp[18:2]urgent pointerSamplestcp[13] = 0x02is SYN. nothing else.(tcp[13] & 0x02) != 0contains SYN. we don't care what else...(tcp[13] & 0x03) = 3is some kind of SYN-FIN. realy Badwinnuke (not tested)tcp[20:4] = 0x47455420GET in requestUDP Filtersudp[0:2]source portudp[2:2]destination portudp[4:2]datagram lengthudp[6:2]UDP checksumprotocolsip[9] == 8EGPip[9] == 9IGPip[9] == 88EIRGPip[9] == 50ESPip[9] == 51AHip[9] == 89OSPFip[9] == 124ISISother, see /etc/protocolsRouting Protocols(udp and port 520) or (host 224.0.0.9)RIP 1 + 2tcp and port 179BGPip[9] == 8EGPip[9] == 9IGPip[9] == 88EIRGPip[9] == 89OSPFip[9] == 124ISISether Filtersether[20:2] == 0x2000CDP paketsether[12:2] == 0x0806ARP paketsIPv6ip6filters native IPv6 traffic (including ICMPv6)icmp6filters native ICMPv6 trafficproto ipv6filters tunneled IPv6-in-IPv4 trafficTCPip6 and (ip6[6] == 0x06)IPv6 TCPip6 and (ip6[6] == 0x06) and (ip6[53] == 0x02)IPv6 TCP Synip6 and (ip6[6] == 0x06) and (ip6[53] == 0x10)IPv6 TCP ACKip6 and (ip6[6] == 0x06) and (ip6[53] == 0x12)IPv6 TCP Syn/ACKUDPip6 and (ip6[6] == 0x11)IPv6 TCPICMP(ip6[6] == 0x3a)ICMP v6(ip6[6] == 0x3a) and (ip6[40] == 0x01)ipv6 and type 1 Dest Unreachable(ip6[6] == 0x3a) and (ip6[40] == 0x02)ipv6 and type 2 Packet too big(ip6[6] == 0x3a) and (ip6[40] == 0x03)ipv6 and type 3 Time Exeedet(ip6[6] == 0x3a) and (ip6[40] == 0x04)ipv6 and type 4 Parameter Problem(ip6[6] == 0x3a) and (ip6[40] == 0x80)ipv6 and type 128 Echo Request(ip6[6] == 0x3a) and (ip6[40] == 0x81)ipv6 and type 129 Echo Reply(ip6[6] == 0x3a) and (ip6[40] == 0x86)ipv6 and type 133 Router Solicitation(ip6[6] == 0x3a) and (ip6[40] == 0x87)ipv6 and type 134 Router Advertisement(ip6[6] == 0x3a) and (ip6[40] == 0x88)ipv6 and type 135 Neighbor Solicitation(ip6[6] == 0x3a) and (ip6[40] == 0x89)ipv6 and type 136 Neighbor AdvertisementMY Filterstcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'IP broadcast or multicast packets that were not sent via ethernet broadcast or multicast:

下面是子链接给出的内容：

Intro=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+This document is meant to serve as a quick reference for pointsof interest in IP, TCP, UDP and ICMP headers. I cobbled theinformation from a variety of sources, all listed at the bottomof this page. This information will (hopefully) be useful topeople building filters for network tools that use BPF, suchas tcpdump or snort. I was moved to collect all of this stuffin one place after completing "Intrusion Detection In-Depth" at a recent SANS conference. Yes, I'm aware that some of theseoffsets are covered by tcpdump macros. So what? Use the byteoffsets instead and let them ph33r your m@d sk1lz. Corrections,additions and so on are welcome. Send them to:jquinby (at) node.toCheers,JQIP byte offsets=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ip[0] & 0x0f- protocol versionip[0] & 0xf0- protocol optionsip[0] & 0xff00- internet header lengthip[1]- TOSip[2:2]- Total lengthip[4:2]- IP identificationip[6] & 0xa- IP flagsip[6:2] & 0x1fff - fragment offset areaip[8]- TTLip[9]- protocol fieldip[10:2]- header checksumip[12:4]- src IP addressip[16:4]- dst IP addressip[20:3]- optionsip[24]- paddingSrc IP = Dest IP (land attack)(ip[12:4] = ip[16:4])IP versions !=4(ip[0] & 0xf0 != 0x40)IP with options set:(ip[0:1] & 0x0f > 5)Broadcasts to x.x.x.255:(ip[19] = 0xff)Broadcasts to x.x.x.0(ip[19] = 0x00)TCP byte offsets, including anomalous TCP flag settings.=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+tcp[0:2]- src porttcp[2:2]- dst porttcp[4:4]- seq numbertcp[8:4]- ack numbertcp[12] & 0x00ff- data offsettcp[12] & 0xff00- reservedtcp[13]- tcp flagstcp[13] & 0x3f = 0- no flags set (null packet)tcp[13] & 0x11 = 1- FIN set and ACK not settcp[13] & 0x03 = 3- SYN set and FIN settcp[13] & 0x05 = 5- RST set and FIN settcp[13] & 0x06 = 6- SYN set and RST settcp[13] & 0x18 = 8- PSH set and ACK not settcp[13] & 0x30 = 0x20- URG set and ACK not settcp[13] & 0xc0 != 0- >= one of the reserved bits of tcp[13] is settcp[14:2]- windowtcp[16:2]- checksumtcp[18:2]- urgent pointertcp[20:3]- optionstcp[23]- paddingtcp[24]- dataUDP byte offsets, header only=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+udp[0:2]- src portudp[2:2]- dst portudp[4:2]- lengthudp[6:2]- checksumudp[8:4]- first 4 octets of dataCrafted packets with impossible UDP lengths:udp[4:2] < 0) or (udp[4:2] > 1500ICMP=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+icmp[0]- typeicmp[1]- codeicmp[3:2]- checksumDestination Unreachable:icmp[0] = 0x3 (3) icmp[4:4]- unused (per RFC]icmp[8:4]- internet header + 64 bits original dataicmp[1]- 0 = net unreachable;- 1 = host unreachable;- 2 = protocol unreachable;- 3 = port unreachable;- 4 = fragmentation needed and DF set;- 5 = source route failed.Time Exceeded:icmp[0] = 0xB (11)icmp[4:4]- unused (per RFC]icmp[8:4]- internet header + 64 bits original dataicmp[1]- 0 = TTL exceeded intransit- 1 = fragment reassembly time exceededParameter Problem:icmp[0] = 0xC (12)icmp[1]- 0 = pointer indicates erroricmp[4]- pointer icmp[5:3]- unused, per RFCicmp[8:4]- internet header + 64 bits original dataSource Quench:icmp[0] = 0x4 (4)icmp[1]- 0 = may be received by gateway or hosticmp[4:4]- unused, per RFCicmp[8:4]- internet header + 64 bits original dataRedirect Message:icmp[0] = 0x5 (5)icmp[1]- 0 = redirect for network- 1 = redirect for host- 2 = redirect for TOS & network- 3 = redirect for TOS & hosticmp[4:4]- gateway internet addressicmp[8:4]- internet header + 64 bits original dataEcho/Echo Reply:icmp[0]= 0x0 (0) (echo reply)icmp[0]= 0x8 (8) (echo request)icmp[4:2]- identifiericmp[6:2]- sequence numbericmp[8]- data beginsTimestamp/Timestamp Reply:icmp[0] = 0xD (13) (timestamp request)icmp[0] = 0xE (14) (timestamp reply)icmp[1]- 0icmp[4:2]- identifiericmp[6:2]- sequence numbericmp[8:4]- originate timestampicmp[12:4]- receive timestampicmp[16:4]- transmit timestamp Information Request/Reply:icmp[0] = 0xF (15) (info request)icmp[0] = 0x10  (16) (info reply)icmp[1]- 0icmp[4:2]- identifiericmp[6:2]- sequence numberAddress Mask Request/Reply:icmp[0] = 0x11 (11) (address mask request)icmp[0] = 0x12 (12) (address mask reply)Sources:RFC768, "User Datagram Protocol Specification"RFC791, "Internet Protocol Specification"RFC792, "Internet Control Message Protocol Specification"RFC793, "Transmission Control Protocol"filter files from SHADOW-1.8 source distributionman pages for tcpdump"TCP/IP and tcpdump Pocket Reference Guide", SANS

（END）