[SATLUG] help with tcpdump (grab a beer its a long post)
toddwbucy at grandecom.net
Fri Feb 19 14:18:26 CST 2010
Its been real quite lately, so I thought why not start a discussion
about tcpdump. As mentioned in an earlier post I am taking Kolars's
TCP/IP class at SAC and the following problem is one he issued in class.
My goals in doing this are to stimulate list conversation and to gain
feedback from the community about my approach.
goal: write a tcpdump filter, which isolates half-open handshakes. In
other words I need to get all of the syn/acks which have no
corresponding acks. this is useful in detecting stealth syn probes via
My approach to this problem utilizes tee and a as of yet to be written
awk or sed script. the general idea is to filter for missing acks
through the sequence numbers. Furthermore given the nature of this
filter and the the three way handshake this a post-hoc analysis. I am
however trying to minimize the delay by outputting to text file output
for further filtering with awk or sed.
One foreseeable problem with this approach is once the binary file is
tee'ed to a text file the file size will explode. So watching file size
will be an issue that will be tweaked as this script develops.
The general idea with using awk to sort all scanned packets by sequence
number then to group packets into triplets (syn, syn/ack,ack).
incomplete triplets are then outputted to the console and/or text file
for further analysis.
as it stands now I have written the following tcpdump filter:
tcpdump -nXSe -C 256 -G 30 -i eth0 -w tcpdump/tcpdump.021910. -W 120
'tcp==18 || tcp==16 || tcp=4 || tcp==2 || tcp=1' >
I have read the man page on this backwards and forwards but am still a
bit unclear about how the -C -G and -W.
Fist, the -C option is to set a size limit on the capture file. I am
assuming megabytes instead of kilobytes. Is this correct? I am using
this switch because it rotates file writes as set by the -W switch. My
concern however is that the tcpdump does not write with this switch as
it could truncate valid handshakes and lead to false positives. my
solution is to keep this set pretty high but not so high that file size
gets out of control.
Second, the -G option sets the the time for the next file write at 30
seconds. It also adds a file count at the end of the file name. This
will be lowered to a more reasonable 120-180 seconds (2-3 min) once the
awk portion of this is written. Any handshake that takes longer then
that should be regarded as suspicious.
Third, the -W option sets the max amount of files to be written as 120.
the idea is that wen used with -G 30 the script will run for 1 hour
before starting over.
Question: when will tcpdump write the next file, when the file size
reaches 256 meg or when the timer hits 30seconds. I am inclined to
think that write happens when either one becomes true. Is this correct?
As it concerns the -C -G and -W switches the values on these will change
and are purposely set high. My primary concern is in the timing between
tcpdump writes and awk filtering.
the filter is pretty self explanatory, I am filtering for syn, syn/ack,
and ack. In order to increase the usefulness of this filter I have
added the reset and fin flags and were not required by the assignment.
As noted above, intention of the awk is to filter for half open
handshakes and other anomalies associated with session opens, closings
and resets. Once the tcpdump side of this script is ready I will begin
writing the awk portion.
I have tested this filter and created trafic using the following nmap
command: nmap -sS -sV -O -PE -PA localhost while listening to NPR
science friday from tpr.org's website. I let it run for about 10 min.
the output from tcpdump when closed:
^C883 packets captured
883 packets received by filter
0 packets dropped by kernel
the contents of the ~/tcpdump folder:
the contents of the ~/tcpdump/text folder:
Obviously this is not the desired output. What I want in both folders
is the following:
this is especially important with the text portion as I want to have the
awk script run automatically once a new text file has been written
Finally, if there is a more direct approach to accomplishing the said
goal I am all ears as I am beginning to feel like I am chasing my
More information about the SATLUG