常见语法
过滤器支持的函数:
过滤器的语言还有下面几个函数:
upper(string-field)-把字符串转换成大写
lower(string-field)-把字符串转换成小写
upper((和lower((在处理大小写敏感的字符串比较时很有用。例如:
upper(ncp.nds_stream_name) contains "MACRO"
lower(mount.dump.hostname) =="angel"
协议字段类型
每个协议的字段都有规定的类型。这些类型是:
unsigned integer 无符号整数(8比特、16比特、24比特、32比特)
signed integer 有符号整数(8比特、16比特、24比特、32比特)
Boolean 布尔值
Ethernet address 以太网地址(6字节)
Byte array 字节数组
IPv4 address IPv4地址
IPv6 address IPv6地址
IPX network number IPX网络地址
Text string 文本串
Double-precision floating point number 双精度浮点值
三种进制表示方法:
frame.pkt_len>10
frame.pkt_len>012
frame.pkt_len>0xa
布尔值用1 0表示
以太网地址
eth.dst eq ff:ff:ff:ff:ff:ff
aim.data == 0.1.0.d
fddi.src == aa-aa-aa-aa-aa-aa
echo.data == 7a
ipv4和主机名
ip.dst eq www.mit.edu
ip.src == 192.168.1.1
示例:
获取from或to ip 111.111.111.111
host 172.18.5.4
获取from或to ip 段
net 192.168.0.0/24 or net 192.168.0.0 mask 255.255.255.0
from ip段
src net 192.168.0.0/24 or src net 192.168.0.0 mask 255.255.255.0
to ip地址段
dst net 192.168.0.0/24 or dst net 192.168.0.0 mask 255.255.255.0
指定port数据
port 53 //53是dns
port段
(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)
或
tcp portrange 1501-1549
指定协议:如:Ethernet type EAPOL,ip
ether proto 0x888e
ip
目标地址不是某个ethernet
not ether dst 01:80:c2:00:00:0e
除去广播数据
not broadcast and not multicast
显示http 80 get数据
port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 GET 16进制是0x474554
位过滤
| IP
Filters |
| ip[0] & 0x0f |
low nibble: header length in 4octet words. should be 5 |
| ip[1] |
type
of service/QoS/DiffServ |
| ip[2:2] |
total length of datagram in octets |
| ip[4:2] |
IP ID number |
| ip[6] & 0x80 |
reserved bit (possibly used for ECN) |
| ip[6]
& 0x40 |
DF bit |
| ip[6] & 0x20 |
MF bit |
| ip[6:2] & 0x1fff |
fragment offset (number of 8octet blocks) |
| ip[8] |
ttl |
| ip[9] |
protocol |
| ip[10:2] |
header
checksum |
| ip[12:4] |
source IP |
| ip[16:4] |
destination IP |
| Samples |
|
| (ip[12:4] = ip[16:4]) |
Src IP = Dest IP (land attack) |
| ip[0]
& 0xf0 |
high nibble: IP version. almost always 4 |
| (ip[0] & 0xf0 != 0x40) |
IP versions !=4 |
| (ip[0:1] & 0x0f > 5) |
IP with options set |
| (ip[19] = 0xff) |
Broadcasts
to x.x.x.255 |
| (ip[19] = 0x00) |
Broadcasts to x.x.x.0 |
| (ip and ip[1] & 0xfc == 0xb8) |
search for EF in DSCP |
| (ip and ip[1] & 0xfc == 0x28) |
search for AF11
in DSCP |
| (ip and ip[1] & 0xfc != 0x00) |
search for DCSP Packets != 0 |
| (ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff = 0) |
initial fragments |
| (ip[6] & 0x20 != 0) &&
(ip[6:2] & 0x1fff != 0) |
intervening fragments |
| (ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0) |
terminal fragments |
| (ip[0] & 0x0f) != 5 |
has ip options (or is truncated, or is just
some sort of freak...) |
| ip[8] < 5 |
short TTL value |
| ip[6] = 32 |
MF set |
| iip[2:2] > 999 |
IP Packet greater then 999 |
|
|
| ICMP
Filters |
| icmp[0] |
type |
| icmp[1] |
code |
| icmp[2:2] |
checksum |
| Samples |
|
| icmp[0]=0x# |
all
Packets with ICMP Type |
| icmp[0]=0x# and icmp[1]=0x# |
all Packets with ICMP Type X and Code = Y |
| icmp[0]=8 |
ICMP Request Messages |
| icmp[8]=0 |
ICMP Request
Replay |
| icmp[0]=0x11 |
ICMP Address Mask Request |
| icmp[0]=0x12 |
ICMP Address Mask Replay |
| icmp[0]=11 and icmp[1]=0 |
ICMP Time Exeedet |
| icmp[0]=3
and icmp[1]=4 |
ICMP Time Exeedet |
| icmp[0]=8 and ip[2:2] > 64 |
Large ICMP Packets |
|
|
| TCP
Filters |
| tcp[0:2] |
source port |
| tcp[2:2] |
destination port |
| tcp[4:4] |
sequence
number |
| tcp[8:4] |
ack number |
| tcp[12] |
header length |
| tcp[13] |
tcp flags |
| |
---- --S- 0000 0010 = 0x02 normal syn
|
| |
---A --S- 0001 0010 = 0x12 normal syn-ack
|
| |
---A ---- 0001 0000 = 0x10 normal ack
|
| |
--UA P--- 0011 1000 = 0x38 psh-urg-ack. interactive stuff like ssh
|
| |
---A -R-- 0001 0100 = 0x14 rst-ack. it happens.
|
| |
---- --SF 0000 0011 = 0x03 syn-fin scan
|
| |
--U- P--F 0010 1001 = 0x29 urg-psh-fin. nmap fingerprint packet
|
| |
-Y-- ---- 0100 0000 = 0x40 anything >= 0x40 has a reserved bit set
|
| |
XY-- ---- 1100 0000 = 0xC0 both reserved bits set
|
| |
XYUA PRSF 1111 1111 = 0xFF FULL_XMAS scan
|
| tcp[14:2] |
window size |
| tcp[16:2] |
checksumt |
| tcp[18:2] |
urgent pointer |
| Samples |
|
| tcp[13] = 0x02 |
is SYN. nothing else. |
| (tcp[13] & 0x02) != 0 |
contains SYN. we don't care what else... |
| (tcp[13] & 0x03) = 3 |
is some kind of SYN-FIN. realy Bad |
| |
winnuke (not tested) |
| tcp[20:4] = 0x47455420 |
GET in request |
|
|
| UDP Filters |
| udp[0:2] |
source port |
| udp[2:2] |
destination port |
| udp[4:2] |
datagram length |
| udp[6:2] |
UDP checksum |
|
|
| protocols |
| ip[9] == 8 |
EGP |
| ip[9] == 9 |
IGP |
| ip[9] == 88 |
EIRGP |
| ip[9] == 50 |
ESP |
| ip[9] == 51 |
AH |
| ip[9] == 89 |
OSPF |
| ip[9] == 124 |
ISIS |
| |
other, see /etc/protocols |
|
|
| Routing Protocols |
| (udp and port 520) or (host 224.0.0.9) |
RIP 1 + 2 |
| tcp and port 179 |
BGP |
| ip[9] == 8 |
EGP |
| ip[9] == 9 |
IGP |
| ip[9] == 88 |
EIRGP |
| ip[9] == 89 |
OSPF |
| ip[9] == 124 |
ISIS |
|
|
| ether Filters |
| ether[20:2] == 0x2000 |
CDP pakets |
| ether[12:2] == 0x0806 |
ARP pakets |
|
|
| IPv6 |
| ip6 |
filters native IPv6 traffic (including ICMPv6) |
| icmp6 |
filters native ICMPv6 traffic |
| proto ipv6 |
filters tunneled IPv6-in-IPv4 traffic |
| TCP |
|
| ip6 and (ip6[6] == 0x06) |
IPv6 TCP |
| ip6 and (ip6[6] == 0x06) and (ip6[53] == 0x02) |
IPv6 TCP Syn |
| ip6 and (ip6[6] == 0x06) and (ip6[53] == 0x10) |
IPv6 TCP ACK |
| ip6 and (ip6[6] == 0x06) and (ip6[53] == 0x12) |
IPv6 TCP Syn/ACK |
| UDP |
|
| ip6 and (ip6[6] == 0x11) |
IPv6 TCP |
| ICMP |
|
| (ip6[6] == 0x3a) |
ICMP v6 |
| (ip6[6] == 0x3a) and (ip6[40] == 0x01) |
ipv6 and type 1 Dest Unreachable |
| (ip6[6] == 0x3a) and (ip6[40] == 0x02) |
ipv6 and type 2 Packet too big |
| (ip6[6] == 0x3a) and (ip6[40] == 0x03) |
ipv6 and type 3 Time Exeedet |
| (ip6[6] == 0x3a) and (ip6[40] == 0x04) |
ipv6 and type 4 Parameter Problem |
| (ip6[6] == 0x3a) and (ip6[40] == 0x80) |
ipv6 and type 128 Echo Request |
| (ip6[6] == 0x3a) and (ip6[40] == 0x81) |
ipv6 and type 129 Echo Reply |
| (ip6[6] == 0x3a) and (ip6[40] == 0x86) |
ipv6 and type 133 Router Solicitation |
| (ip6[6] == 0x3a) and (ip6[40] == 0x87) |
ipv6 and type 134 Router Advertisement |
| (ip6[6] == 0x3a) and (ip6[40] == 0x88) |
ipv6 and type 135 Neighbor Solicitation |
| (ip6[6] == 0x3a) and (ip6[40] == 0x89) |
ipv6 and type 136 Neighbor Advertisement |
|
|
| MY Filters |
| tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224' |
IP broadcast or multicast packets that were not sent via ethernet broadcast or multicast: |
|
|
浙公网安备 33010602011771号