了解Tcpdump过滤器&位屏蔽 [英] Understanding Tcpdump filter & bit-masking
问题描述
我正在尝试使用tcpdump嗅探http标头.
I am trying to sniff the http headers by using tcpdump.
此过滤器效果很好,但我听不懂-
This filter works well but I can't understand it -
(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
我已经对其进行了搜索,但找不到任何有用的信息
I've googled it but I can't find any useful info
这是整个tcpdump命令
Here is the whole tcpdump command
sudo tcpdump -A 'dst [dest host] or src [src host] and tcp and
(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -i eth0
推荐答案
获取HTTP标头的不是BPF过滤器,而是tcpdump命令上的"-A"开关.
It's not the BPF filter that gets http headers but the "-A" switch on your tcpdump command.
您的tcpdump命令在eth0上查找到特定目的地或特定来源的tcp流量,其中最终的BPF过滤器涉及到计算得出的总和不为零.使用"-A"选项,它将以ASCII减去其链接级别标题输出每个数据包.
Your tcpdump command looks for tcp traffic to certain destination or from a certain source on eth0 where the final BPF filter involves a calculation that results in a non-zero total. With the "-A" option, it prints each packet in ASCII minus its link level header.
我已经在下面说明了计算方法,但是我认为实际过滤器中可能存在一些问题,可能是通过复制和粘贴来实现的.在tcpdump中使用这些过滤器时,将使用tcp位掩码,通常在检查不属于字节边界的字段时使用
I've explained the calculation below but I believe there's some issues in the actual filter, possibly through copying and pasting. When you use these filters in tcpdump, you're using tcp bit-masking, which is typically used when examining fields that do not fall on byte boundaries
-
ip[2:2]指IP头中的两个字节(即第3个和第4个字节),从字节2开始(请记住,它从偏移量0开始).该总数代表IP数据包的总长度,最大长度为65535字节.
ip[2:2]refers to the two bytes (i.e. 3rd & 4th bytes) in the IP header, beginning at byte 2 (remember it starts at offset 0). This total represents the total length of the IP packet which can be a maximum of 65535 bytes.
为清楚起见,在此为位掩码,我已经在前面加上了'0',因此掩码0xf变为0x0f.根据下面的盖伊·哈里斯(GuyHarris)的评论,掩码中的前导"0"被删除.
For the bitmask here, for clarity, I've pre-pended a '0' so mask 0xf becomes 0x0f. The leading '0' on the mask is dropped as per the comment from GuyHarris below.
-
ip[0]&0x0f指IP头中字节0的后半部分(即第一个字节),这将为您提供32位字的IP头长度,因此,通常乘以4进行这样的计算.
ip[0]&0x0frefers to the second half of byte 0 (i.e. the 1st byte) in the IP header, which will give you the IP header length in 32 bit words and as such, this is typically multiplied by 4 for such a calculation.
tcp[12]&0xf0)指字节12的前半部分(即第11个字节),它是数据偏移字段,它以32位字指定TCP报头的大小,因此,这是通常会乘以4进行这种计算.
tcp[12]&0xf0) refers to the first half of byte 12 (i.e. the 11th byte), which is the data offset field, which specifies the size of the TCP header in 32-bit words and as such, this is typically multiplied by 4 for such a calculation.
您需要将最后2个长度乘以4,因为它们是32位/4字节字,因此需要转换为总字节数才能正确计算
You need to multiply the last 2 lengths by 4 because they are 32 bit/4 byte words and so need be translated to a total in bytes for the calculation to be correct
您的过滤器应进行计算:
Your filter should be calculating:
- IP数据包长度(以字节为单位)-IP标头长度-TCP标头长度
并希望该值为零,即类似这样的
and looking for that value to be zero, i.e. something like this
sudo tcpdump -A -nnpi eth0 '(ip[2:2] - ((ip[0]&0x0f)*4) - ((tcp[12]&0xf0)*4) != 0)'
当执行减法运算时,您正在寻找一个非零的总数.这个非零总数表示在第4层以上有数据,即tcp有效负载中的数据,通常是应用程序流量.
When you perform the subtraction, you're looking for a non-zero total. This non-zero total means that there's data above layer 4, i.e. data in the tcp payload, typically application traffic.
您可能还想添加port 80,前提是大多数http通信是通过端口80进行的.
You may also want to add port 80 assuming most http traffic is over port 80.
安全人员通常使用这种过滤器来检测SYN上的数据,这是不正常的,但根据RFC,这是允许的.所以整个事情看起来像-
Such a filter is commonly used by security folk to detect data on a SYN, which is not normal but according to the RFCs, it is allowed. so the whole thing would look something like -
'tcp[13]=0x02 and (ip[2:2] - ((ip[0]&0x0f)*4) - ((tcp[12]&0xf0)*4) != 0)'
TCPIPGuide 是关于TCP/IP btw的非常好的免费在线指南.
TCPIPGuide is a very good, free online guide on TCP/IP btw.
已更新:根据盖伊·哈里斯(Guy Harris)的更新,修改位掩码上的前导零"部分.
Updated: Modify the 'leading zero' section on the bitmask as per the update from Guy Harris.
这篇关于了解Tcpdump过滤器&位屏蔽的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
