linuxnetwork-programmingpacket-snifferstcpdumpsniffing

Understanding Tcpdump filter & bit-masking


I am trying to sniff the http headers by using tcpdump.

This filter works well but I can't understand it -

(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)

I've googled it but I can't find any useful info

Here is the whole tcpdump command

sudo tcpdump -A 'dst [dest host] or src [src host]  and tcp  and 
(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -i eth0

Solution

  • It's not the BPF filter that gets http headers but the "-A" switch on your tcpdump command.

    Your tcpdump command looks for tcp traffic to certain destination or from a certain source on eth0 where the final BPF filter involves a calculation that results in a non-zero total. With the "-A" option, it prints each packet in ASCII minus its link level header.

    I've explained the calculation below but I believe there's some issues in the actual filter, possibly through copying and pasting. When you use these filters in tcpdump, you're using tcp bit-masking, which is typically used when examining fields that do not fall on byte boundaries

    For the bitmask here, for clarity, I've pre-pended a '0' so mask 0xf becomes 0x0f. The leading '0' on the mask is dropped as per the comment from GuyHarris below.

    You need to multiply the last 2 lengths by 4 because they are 32 bit/4 byte words and so need be translated to a total in bytes for the calculation to be correct

    Your filter should be calculating:

    and looking for that value to be zero, i.e. something like this

    sudo tcpdump -A -nnpi eth0 '(ip[2:2] - ((ip[0]&0x0f)*4) - ((tcp[12]&0xf0)*4) != 0)'

    When you perform the subtraction, you're looking for a non-zero total. This non-zero total means that there's data above layer 4, i.e. data in the tcp payload, typically application traffic.

    You may also want to add port 80 assuming most http traffic is over port 80.

    Such a filter is commonly used by security folk to detect data on a SYN, which is not normal but according to the RFCs, it is allowed. so the whole thing would look something like -

    'tcp[13]=0x02 and (ip[2:2] - ((ip[0]&0x0f)*4) - ((tcp[12]&0xf0)*4) != 0)'

    TCPIPGuide is a very good, free online guide on TCP/IP btw.

    Updated: Modify the 'leading zero' section on the bitmask as per the update from Guy Harris.