CODEWITHSUNDEEP
tcpporttcpdumpbpf
Rubyredz
Rubyredz

Reputation: 1

TCPDUMP BPF Primitives and Port Exclusion

I am trying to create a filter in tcpdump that will allow me to examine tcp traffic on ports about 1024. I came up with:sudo tcpdump tcp portrange 1025-65535 but I'm not sure if there is a better way to create the filter.

For example, I tried looking for greater than and less than syntax for port ranges in tcpdump and BPF but haven't managed to find anything.

Upvotes: 0

Views: 808

Answers (1)

Qeole
Qeole

Reputation: 9184

# tcpdump 'tcp[0:2] > 1024 or tcp[2:2] > 1024'

(Two bytes in TCP header at offset 0 are > 1024, or two bytes at offset 2 are > 1024.)

You can see the BPF filter produced with the -d option:

# tcpdump -d 'tcp[0:2] > 1024 or tcp[2:2] > 1024'
(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 12
(002) ldb      [23]
(003) jeq      #0x6             jt 4    jf 12
(004) ldh      [20]
(005) jset     #0x1fff          jt 12   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldh      [x + 14]
(008) jgt      #0x400           jt 11   jf 9
(009) ldh      [x + 16]
(010) jgt      #0x400           jt 11   jf 12
(011) ret      #262144
(012) ret      #0

It is shorter than the one from the portrange version:

# tcpdump -d tcp portrange 1025-65535
(000) ldh      [12]
(001) jeq      #0x86dd          jt 2    jf 9
(002) ldb      [20]
(003) jeq      #0x6             jt 4    jf 22
(004) ldh      [54]
(005) jge      #0x401           jt 6    jf 7
(006) jgt      #0xffff          jt 7    jf 21
(007) ldh      [56]
(008) jge      #0x401           jt 20   jf 22
(009) jeq      #0x800           jt 10   jf 22
(010) ldb      [23]
(011) jeq      #0x6             jt 12   jf 22
(012) ldh      [20]
(013) jset     #0x1fff          jt 22   jf 14
(014) ldxb     4*([14]&0xf)
(015) ldh      [x + 14]
(016) jge      #0x401           jt 17   jf 18
(017) jgt      #0xffff          jt 18   jf 21
(018) ldh      [x + 16]
(019) jge      #0x401           jt 20   jf 22
(020) jgt      #0xffff          jt 22   jf 21
(021) ret      #262144
(022) ret      #0

The reference for this syntax is the pcap-filter man page.

However, your version remains more readable.

Upvotes: 2

Related Questions