|
-
December 21st, 2005, 07:42 PM
#1
Ethereal expressions - help
I wasn't real sure where to drop this thread, so for now I'm going to put it here in Miscellaneous Security.
Anyway, I use Ethereal a lot but I don't use advanced filtering techniques as usually I'm not capturing thousands of packets. That has recently changed, due to a bug/security issue I'm having to research. My captures are winding up in the tens of thousands of packets, most of which I don't need to see for what I'm researching. What I'm looking to do is filter out TCP [PSH, ACK] packets with a Len=81 or Len=162 which are the packets that I'm interested in.
I can't figure out how to create an expression that shows me just those packets. I'm sure it is something pretty easy that I'm over looking, but I have been banging my head for the past couple of days on this and I don't have a lot of time to play around trying to create this stuff (too many other projects breathing down my neck). So I hope someone here on AO has an idea of what I need to do for this expression/filter.
If you need further information to create this expression/filter please let me know. Thanks in advance guys 
Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.
-
December 21st, 2005, 07:55 PM
#2
tcp.len==81 || tcp.len==162
-
December 21st, 2005, 08:01 PM
#3
Thanks csl that is exactly what I was looking for. I didn't know the || join and that is where I was hitting the wall.
Like I said, something pretty easy I was over looking. Thanks a lot!
Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.
-
December 21st, 2005, 08:11 PM
#4
As for length use '(( ip[2:2] >= 81 ) or ( ip[2:2] <= 162) )'
for ACK and PSH
'(tcp[tcpflags] & (tcp-push|tcp-ack)!= 0)'
The whole thing becomes
'((ip[2:2]>=81) or (ip[2:2]<=162)) and (tcp[tcpflags] & (tcp-push|tcp-ack)!= 0)'
-
December 21st, 2005, 08:17 PM
#5
ohh. warl0ck7 I can see how that one would be helpful too... especially if I have packets that are the same size as the PSH, ACK packets that I'm looking for.
But why use ((ip[2:2)>=81) or (ip[2:2]>=162)) instead of tcp.len==81||tcp.len==162 as suggested by csl?
Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.
-
December 21st, 2005, 08:19 PM
#6
(tcp.flags.syn || tcp.flags.ack) && (tcp.len==81 || tcp.len==162) works as well
-
December 21st, 2005, 08:30 PM
#7
Wrong actually, tcp.len gives the length of tcp payload and not of the whole packet
for the whole packet lenght you need ip[2:2]. also using tcp.len gives me a parse error(??).
-
December 21st, 2005, 08:53 PM
#8
Field name Type Description Versions
tcp.len Unsigned 32-bit integer TCP Segment Len 0.9.4 to 0.10.13
http://www.ethereal.com/docs/dfref/t/tcp.htm
indeed, what was i thinking? oh well, oops.. change tcp.len to (tcp.len+tcp.hdr_len)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote