From 19db24712b4f32673fc1b4a77d8fbd3c577e534d Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Thu, 13 Oct 2022 23:50:05 +0200
Subject: [PATCH] added bpf filters

---
 misc/BPF Filter.md | 85 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100644 misc/BPF Filter.md

diff --git a/misc/BPF Filter.md b/misc/BPF Filter.md
new file mode 100644
index 0000000..ed4b649
--- /dev/null
+++ b/misc/BPF Filter.md	
@@ -0,0 +1,85 @@
+# BPF Filters
+
+* This is a collection of bpf and wireshark filters to find specific network situations.
+
+## TCP Scans
+
+* Recognize nmap scans in traffic
+
+### TCP Connect Scan
+
+* Has a TCP window size larger than 1024 bytes
+
+Open TCP Port looks like
+
+```sh
+SYN -->
+<-- SYN, ACK
+ACK -->
+```
+
+or
+
+```sh
+SYN -->
+<-- SYN,ACK
+ACK -->
+RST, ACK -->
+```
+
+Closed TCP Port
+
+```sh
+SYN -->
+<-- RST, ACK
+```
+
+* Find TCP Connect scan pattern
+```bpf
+tcp.flags.syn == 1 and tcp.flags.ack==0 and tcp.window_size > 1024
+```
+
+### TCP Half Open SYN Scan
+
+* Lower or equal to 1024 bytes windows size
+
+Open TCP Port looks like
+
+```sh
+SYN -->
+<-- SYN, ACK
+RST -->
+```
+
+Closed TCP Port looks like
+
+```sh
+SYN -->
+<-- RST, ACK
+```
+
+* Find half open SYN scan pattern
+```bpf
+tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <=1024
+```
+
+## UDP Scans 
+
+Open UDP Port looks like
+
+```sh
+UDP packet -->
+```
+
+A closed UDP port is recognizable by an ICMP Type 3 reply
+
+```sh
+UDP packet -->
+<-- ICMP Type 3
+```
+
+* Find UDP scan pattern with closed ports as a reply
+```bpf
+icmp.type==3 and icmp.code==3
+```
+