1.1 KiB
1.1 KiB
BPF Filters
- This is a collection of bpf and wireshark filters to find specific network situations.
TCP Scans
- Recognize nmap scans in traffic
TCP Connect Scan
- Has a TCP window size larger than 1024 bytes
Open TCP Port looks like
SYN -->
<-- SYN, ACK
ACK -->
or
SYN -->
<-- SYN,ACK
ACK -->
RST, ACK -->
Closed TCP Port
SYN -->
<-- RST, ACK
- Find TCP Connect scan pattern
tcp.flags.syn == 1 and tcp.flags.ack==0 and tcp.window_size > 1024
TCP Half Open SYN Scan
- Lower or equal to 1024 bytes windows size
Open TCP Port looks like
SYN -->
<-- SYN, ACK
RST -->
Closed TCP Port looks like
SYN -->
<-- RST, ACK
- Find half open SYN scan pattern
tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <=1024
UDP Scans
Open UDP Port looks like
UDP packet -->
A closed UDP port is recognizable by an ICMP Type 3 reply
UDP packet -->
<-- ICMP Type 3
- Find UDP scan pattern with closed ports as a reply
icmp.type==3 and icmp.code==3