86 lines
1.1 KiB
Markdown
86 lines
1.1 KiB
Markdown
|
# BPF Filters
|
||
|
|
|
||
|
|
* This is a collection of bpf and wireshark filters to find specific network situations.
|
||
|
|
|
||
|
|
## TCP Scans
|
||
|
|
|
||
|
|
* Recognize nmap scans in traffic
|
||
|
|
|
||
|
|
### TCP Connect Scan
|
||
|
|
|
||
|
|
* Has a TCP window size larger than 1024 bytes
|
||
|
|
|
||
|
|
Open TCP Port looks like
|
||
|
|
|
||
|
|
```sh
|
||
|
|
SYN -->
|
||
|
|
<-- SYN, ACK
|
||
|
|
ACK -->
|
||
|
|
```
|
||
|
|
|
||
|
|
or
|
||
|
|
|
||
|
|
```sh
|
||
|
|
SYN -->
|
||
|
|
<-- SYN,ACK
|
||
|
|
ACK -->
|
||
|
|
RST, ACK -->
|
||
|
|
```
|
||
|
|
|
||
|
|
Closed TCP Port
|
||
|
|
|
||
|
|
```sh
|
||
|
|
SYN -->
|
||
|
|
<-- RST, ACK
|
||
|
|
```
|
||
|
|
|
||
|
|
* Find TCP Connect scan pattern
|
||
|
|
```bpf
|
||
|
|
tcp.flags.syn == 1 and tcp.flags.ack==0 and tcp.window_size > 1024
|
||
|
|
```
|
||
|
|
|
||
|
|
### TCP Half Open SYN Scan
|
||
|
|
|
||
|
|
* Lower or equal to 1024 bytes windows size
|
||
|
|
|
||
|
|
Open TCP Port looks like
|
||
|
|
|
||
|
|
```sh
|
||
|
|
SYN -->
|
||
|
|
<-- SYN, ACK
|
||
|
|
RST -->
|
||
|
|
```
|
||
|
|
|
||
|
|
Closed TCP Port looks like
|
||
|
|
|
||
|
|
```sh
|
||
|
|
SYN -->
|
||
|
|
<-- RST, ACK
|
||
|
|
```
|
||
|
|
|
||
|
|
* Find half open SYN scan pattern
|
||
|
|
```bpf
|
||
|
|
tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <=1024
|
||
|
|
```
|
||
|
|
|
||
|
|
## UDP Scans
|
||
|
|
|
||
|
|
Open UDP Port looks like
|
||
|
|
|
||
|
|
```sh
|
||
|
|
UDP packet -->
|
||
|
|
```
|
||
|
|
|
||
|
|
A closed UDP port is recognizable by an ICMP Type 3 reply
|
||
|
|
|
||
|
|
```sh
|
||
|
|
UDP packet -->
|
||
|
|
<-- ICMP Type 3
|
||
|
|
```
|
||
|
|
|
||
|
|
* Find UDP scan pattern with closed ports as a reply
|
||
|
|
```bpf
|
||
|
|
icmp.type==3 and icmp.code==3
|
||
|
|
```
|
||
|
|
|