wireshark学习总结(3)---结构化/复合型抓包过滤器
2016-07-30 21:02
309 查看
如果想掌握更多与结构化抓包过滤器有关的内容及示例,请访问以下链接:
(1)http://www.packetlevel.ch/html/txt/tcpdump.filters
(2)http://www.packetlevel.ch/html/tcpdumpf.html
请区别抓包过滤器和显示过滤器:
1)抓包过滤器配置于抓包前
==>wireshark只抓符合抓包过滤器规则的流量包
2)显示过滤器配置于抓包后
==>已经抓包完毕,只是显示自己心仪的数据包
而抓包过滤器包括以下几层抓包过滤器:
(1)第一层(网卡)过滤器、
(2)第二层(Ethernet,即MAC设备)过滤器、
(3)第三层(IP)过滤器
(4)第四层(TCP/UDP等)过滤器
而结构化抓包过滤器就是复合型抓包过滤器:
就是用多个抓包过滤器 通过 操作符(not、and、or或(!、&&、||)) “拼接”起来的过滤器。
后面会写几篇来详细描述这几层抓包过滤器。
下面给出链接(1)的内容,如下所示:
(END)
(1)http://www.packetlevel.ch/html/txt/tcpdump.filters
(2)http://www.packetlevel.ch/html/tcpdumpf.html
请区别抓包过滤器和显示过滤器:
1)抓包过滤器配置于抓包前
==>wireshark只抓符合抓包过滤器规则的流量包
2)显示过滤器配置于抓包后
==>已经抓包完毕,只是显示自己心仪的数据包
而抓包过滤器包括以下几层抓包过滤器:
(1)第一层(网卡)过滤器、
(2)第二层(Ethernet,即MAC设备)过滤器、
(3)第三层(IP)过滤器
(4)第四层(TCP/UDP等)过滤器
而结构化抓包过滤器就是复合型抓包过滤器:
就是用多个抓包过滤器 通过 操作符(not、and、or或(!、&&、||)) “拼接”起来的过滤器。
后面会写几篇来详细描述这几层抓包过滤器。
下面给出链接(1)的内容,如下所示:
# A collection of tcpdump filters. # [[shells might require escaping of special characters]] # == # This document: http://www.rdrs.net/document/ # Related: http://www.rdrs.net/snippets/src/pcap_example.c # Last update: Tue Dec 28, 2004 # == # If you have tips, suggestions or additional filters # that haven't been listed here, drop me a short note. # Address info can be found at http://www.rdrs.net/about.html # # Thnkx.. # # ####### # TCP # # filter ssh tcp[(tcp[12]>>2):4] = 0x5353482D && (tcp[((tcp[12]>>2)+4):2] = 0x312E || \ tcp[((tcp[12]>>2)+4):2] = 0x322E) # filter "combine" rlogin (tcp[(ip[2:2]-((ip[0]&0x0f)<<2))-1]=0) && \ ((ip[2:2]-((ip[0]&0x0f)<<2) - (tcp[12]>>2)) != 0) && \ ((ip[2:2]-((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 128) # filter ftp tcp[(tcp[12]>>2):4] = 0x3232302d || tcp[(tcp[12]>>2):4] = 0x32323020 # URG set and ACK not set tcp[13] & 0x30 = 0x20 # IMAP service exploit tcp && (tcp[13] & 2 != 0) && (dst port 143) # filter root backdoor tcp[(tcp[12]>>2):2] = 0x2320 && \ (ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) == 2 # RST set and FIN set tcp[13] & 0x05 = 5 # filter out napster ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) = 4 && \ tcp[(tcp[12]>>2):4] = 0x53454e44) || \ ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) = 3 && \ tcp[(tcp[12]>>2):2] = 0x4745 && tcp[(tcp[12]>>2)+2]=0x54) # telnet tcp[2:2] = 23 # again telnet but beter... (tcp[(tcp[12]>>2):2] > 0xfffa) && (tcp[(tcp[12]>>2):2] < 0xffff) # attempted ftp connection to other hosts on the network than the ftp server dst net 82.48.9.1/22 && dst port 21 \ && (tcp[13] & 0x3f = 2) && !(dst host ftp.bla.org) # attempts to include data on the initial SYN. tcp[13] & 0xff = 2 && \ (ip[2:2] - ((ip[0] & 0x0f) * 4) - ((tcp[12] & 0xf0) / 4)) != 0 # active open (syn set without ack) (tcp[13] & 0x12 < 16) # winnuke DOS attack (tcp[2:2] = 139) && (tcp[13] & 0x20 != 0) && (tcp[19] & 0x01 = 1) # destination port less than 1024 tcp[2:2] < 1024 # SYN set and FIN set tcp[13] & 0x03 = 3 # one of the reserved bits of tcp[13] is set tcp[13] & 0xc0 != 0 # DNS zone transfer tcp && dst port 53 # active open connection, syn is set, ack is not tcp[13] & 0x12 = 2 # X11 ports (tcp[2:2] >= 6000) && (tcp[2:2] < 7000) # TCP port 6667 with ACK flag set and payload starting at byte 12 # that does not include the asciiwords "PING", "PONG", "JOIN", or "QUIT". (tcp[13] & 0x10 = 1) && (tcp[0:2]=6667 || tcp[2:2]=6667) \ && (not ip[32:4] = 1346981447 || not ip[32:4] = 1347374663 \ || not ip[32:4] = 1246710094 || not ip[32:4] = 1364543828) # except ack push (tcp[13] & 0xe7) != 0 # all packets with the PUSH flag set tcp[13] & 8 != 0 # all packets with the RST flag set tcp[13] & 4 != 0 # filter out gnutella tcp[(tcp[12]>>2):4] = 0x474e5554 && \ tcp[(4+(tcp[12]>>2)):4] = 0x454c4c41 && tcp[8+(tcp[12]>>2)] = 0x20 # catch default hping 2 pings tcp [3] = 0 && tcp[13] = 0 # FIN set and ACK not set tcp[13] & 0x11 = 1 # null scan filter with no flags set tcp[13] = 0 # could also be written as tcp[13] & 0xff = 0 # no flags set, null packet tcp[13] & 0x3f = 0 # syn-fyn tcp[13] = 3 # syn-fyn both flags set (tcp[13] & 0x03) = 3 # only syn.. tcp[13] & 0x02) != 0 # reserved bits set tcp[14] >= 64 # incomming http requests (tcp[13:1]&18 = 2) && (port 80) && (ip dst 192.168.1.40) # broadcasts x.x.x.255 ip[19] = 0xff # broadcasts x.x.x.0 ip[19] = 0x00 # Incomming SYN packets tcp && (tcp[13] & 0x02 != 0) && \ (tcp[13] & 0x10 = 0) && (not dst port 53) && \ (not dst port 80) && (not dst port 25) && (not dst port 21) # SMB dst port 139 && tcp[13:1] & 18 = 2 # ACK flag set, ack value is ZERO. Not normal for three-way handshake. # Possible capture of NMAP(1) os fingerprinting. tcp[13] & 0xff = 0x10 && tcp[8:4] = 0 # high-order reserved bits should be ZERO. NMAP(1) sometimes sets the # bit that is in the 64 position for os fingerprinting. tcp[13] >= 64 # SYN set and RST set tcp[13] & 0x06 = 6 # PSH set and ACK not set tcp[13] & 0x18 = 8 # Some filters combined for a general [catch [[bad]] events filter] (tcp && (tcp[13] & 3 != 0) && ((dst port 143) || \ (dst port 111) || (tcp[13] & 3 != 0 && tcp[13] & 0x10 = 0 && \ dst net 172.16 && dst port 1080) || \ (dst port 512 || dst port 513 || dst port 514) || \ ((ip[19] = 0xff) && not (net 172.16/16 || net 192.168/16)) || \ (ip[12:4] = ip[16:4]))) || (not tcp && igrp && not dst port 520 && \ ((dst port 111) || (udp port 2049) || ((ip[19] = 0xff) && \ not (net 172.16/16 || net 192.168/16)) || (ip[12:4] = ip[16:4]))) # RIP info -s 1024 port routed # in/out going fragmentation attack tcp && ip[6:2]&16383 != 0 ####### # IP # # all packets with more than 20 bytes of payload (ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20 # ping of death attack ((ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)) && \ ((65535 < (ip[2:2] + 8 * (ip[6:2] & 0x1fff)) # more fragments bit is not set [but] the fragment offset is not zero ((ip[6:1] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)) # any packet with a header more than 20 bytes. ip[0] & 0x0f > 5 # any packet with more fragments set ip[6] & 0x20 !=0 # packets with TTL's less than 5 ip[8] < 5 # source ip equal to destination ip [classic land attack] ip[12:4] = ip[16:4] # another, land attack (tcp[0:2] = tcp[2:2]) && (ip[12:4] = ip[16:4]) # IP options (ip[0] & 0x0f) != 5 # broadcasts to xxx.xxx.xxx.255 || xxx.xxx.xxx.0 (ip[19]=0xff) || (ip[19]=0x00) # fragmented packet with zero offset ip[6:2] & 0x1fff = 0 # and more fragments [terminal] (ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0) # and even more fragments [intervening] (ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff != 0) # my head was fragmented [initially] (ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff = 0) # fragmented packets with more coming ip[6:1] & 0x20 != 0 # more fragments bit is not set, [but] the fragment offset is not zero (ip[6:1] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)) # unroutable addresses not ((ip[12] < 3) || net 5 || net 10 || net 127 || net 172.16 \ || net 192.168 || (ip[12] > 239)) # IP options ip[0:1] & 0x0f > 5 # loose source routing, [(ip[0:1] & 0x0f > 5)] # ip[20] opts: # 7,0x44,0x83,0x89 # record route,timestamp,loose source routing,strict source routing # loose source routing ip[20:1] & 0xff = 131 # other IP versions than ipv4 ip && (ip[0] & 0xf0 != 0x40) ####### # ICMP # # fragmentation needed but DF flag set (icmp[0] = 3) && (icmp[1] = 4) # fragmented ICMP icmp && (ip[6:1] & 0x20 != 0) # in/out going smurf attack icmp && (ip[19:1] = 255) # in/out going fragmentation attack icmp && ip[6:2] & 16383 != 0 # Loki Filter ((icmp[0] = 0) || (icmp[0] = 8)) && ((icmp[6:2] = 0xf001) || (icmp[6:2] = 0x01f0) # ICMP address mask requests icmp[0] = 17 # Frag required but DF set* ((icmp[0] = 3) && (icmp[1] = 4)) # source route failed (icmp[0] = 3) && (icmp[1] = 5) # all ICMP except ping icmp && icmp[0] != 8 && icmp[0] != 0 # source quench : icmp[0] = 4 # redirect : icmp[0] = 5 # router advertisement : icmp[0] = 9 # router solicitation : icmp[0] = 10 # parameter problem : icmp[0] = 12 # timestamp request : icmp[0] = 13 # timestamp reply : icmp[0] = 14 # information request : icmp[0] = 15 # information reply : icmp[0] = 16 # address mask request : icmp[0] = 17 # address mask reply : icmp[0] = 18 ####### # UDP # # teardrop attack udp && (ip[6:1] & 0x20 != 0) # catch anything udp to port 500 udp -n -vv udp && dst port 500 # catch udp packets with impossible udp lengths (udp[4:2] < 0) || (udp[4:2] > 1500) # back Orifice -n -vv udp && dst port 31337 # UNIX traceroute destports between 33000 and 33999 (udp[2:2] >= 33000) && (udp[2:2] <= 33999) # or alternatively.. udp[2:2] >= 33000 && udp[2:2] < 34000 && ip[8] = 1 # UDP port scan udp && src port = dst port
(END)
相关文章推荐
- Wireshark图解教程(简介、抓包、过滤器)
- Wireshark图解教程(简介、抓包、过滤器)
- Wireshark图解教程(简介、抓包、过滤器)
- Wireshark图解教程(简介、抓包、过滤器)
- 网络抓包工具Wireshark图解教程(简介、抓包、过滤器)
- Wireshark图解教程(简介、抓包、过滤器)
- Servlet3.0学习总结(二)——使用注解标注过滤器(Filter)
- Wireshark图解教程(简介、抓包、过滤器)
- Wireshark图解教程(简介、抓包、过滤器)
- Wireshark图解教程(简介、抓包、过滤器)【转】
- Wireshark图解教程(简介、抓包、过滤器)
- Wireshark图解教程(简介、抓包、过滤器)
- wireshark学习——解决Ubuntu下无法使用Wireshark抓包的问题
- Wireshark图解教程(简介、抓包、过滤器)
- Wireshark图解教程(简介、抓包、过滤器)
- Wireshark图解教程(简介、抓包、过滤器)
- Wireshark图解教程(简介、抓包、过滤器)
- Wireshark图解教程(简介、抓包、过滤器)【转】
- Wireshark图解教程(简介、抓包、过滤器)
- javaWeb学习总结(10)- Filter(过滤器)学习(2)