added bpf filters

misc/BPF Filter.md

@@ -0,0 +1,85 @@
+# BPF Filters
+
+* This is a collection of bpf and wireshark filters to find specific network situations.
+
+## TCP Scans
+
+* Recognize nmap scans in traffic
+
+### TCP Connect Scan
+
+* Has a TCP window size larger than 1024 bytes
+
+Open TCP Port looks like
+
+```sh
+SYN -->
+<-- SYN, ACK
+ACK -->
+```
+
+or
+
+```sh
+SYN -->
+<-- SYN,ACK
+ACK -->
+RST, ACK -->
+```
+
+Closed TCP Port
+
+```sh
+SYN -->
+<-- RST, ACK
+```
+
+* Find TCP Connect scan pattern
+```bpf
+tcp.flags.syn == 1 and tcp.flags.ack==0 and tcp.window_size > 1024
+```
+
+### TCP Half Open SYN Scan
+
+* Lower or equal to 1024 bytes windows size
+
+Open TCP Port looks like
+
+```sh
+SYN -->
+<-- SYN, ACK
+RST -->
+```
+
+Closed TCP Port looks like
+
+```sh
+SYN -->
+<-- RST, ACK
+```
+
+* Find half open SYN scan pattern
+```bpf
+tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <=1024
+```
+
+## UDP Scans 
+
+Open UDP Port looks like
+
+```sh
+UDP packet -->
+```
+
+A closed UDP port is recognizable by an ICMP Type 3 reply
+
+```sh
+UDP packet -->
+<-- ICMP Type 3
+```
+
+* Find UDP scan pattern with closed ports as a reply
+```bpf
+icmp.type==3 and icmp.code==3
+```
+