# BPF Filters

* This is a collection of bpf and wireshark filters to find specific network situations.

## TCP Scans

* Recognize nmap scans in traffic

### TCP Connect Scan

* Has a TCP window size larger than 1024 bytes

Open TCP Port looks like

```sh
SYN -->
<-- SYN, ACK
ACK -->
```

or

```sh
SYN -->
<-- SYN,ACK
ACK -->
RST, ACK -->
```

Closed TCP Port

```sh
SYN -->
<-- RST, ACK
```

* Find TCP Connect scan pattern
```bpf
tcp.flags.syn == 1 and tcp.flags.ack==0 and tcp.window_size > 1024
```

### TCP Half Open SYN Scan

* Lower or equal to 1024 bytes windows size

Open TCP Port looks like

```sh
SYN -->
<-- SYN, ACK
RST -->
```

Closed TCP Port looks like

```sh
SYN -->
<-- RST, ACK
```

* Find half open SYN scan pattern
```bpf
tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <=1024
```

## UDP Scans 

Open UDP Port looks like

```sh
UDP packet -->
```

A closed UDP port is recognizable by an ICMP Type 3 reply

```sh
UDP packet -->
<-- ICMP Type 3
```

* Find UDP scan pattern with closed ports as a reply
```bpf
icmp.type==3 and icmp.code==3
```