HPE Community
Operating System - HP-UX
1834101 Members
2922 Online
110063 Solutions
New Discussion

Filter for control flags of TCP header sought

 
SOLVED
Go to solution
Ralph Grothe
Honored Contributor

‎12-22-2004 02:13 AM

‎12-22-2004 02:13 AM

Filter for control flags of TCP header sought

Hi,

I have a wee packet snooping filter itch.

I only want to fish TCP packets to and from a certain host and port whose reset bit is set.
Unfortunately snoop's filtering syntax is a bit unwieldy.

From figure 3 in the RFC
( http://www.faqs.org/rfcs/rfc793.html )
I counted that the control flag field starts at offset 106 and has a size of 6 bit.

Unfortunately snoop's manpage doesn't tell what the units are for the offset, but I take it's in octets, half-words, or bytes.

Now I'm not sure whether there are indeed no packages that have the reset bit set, or if simply my filter is inappropriate.

The special filter (apart from source and destination addresses and port) that I used was
"tcp[13:1] & 0x00000100"

Can you confirm or correct me that my bit position countings were right?

Regards
Ralph
Madness, thy name is system administration
0 Kudos
7 REPLIES 7
harry d brown jr
Honored Contributor

‎12-22-2004 03:02 AM

‎12-22-2004 03:02 AM

Re: Filter for control flags of TCP header sought


Have you tried tcpdump? http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/tcpdump-3.8.3/

live free or die
harry d brown jr
Live Free or Die
0 Kudos
Ralph Grothe
Honored Contributor

‎12-22-2004 03:05 AM

‎12-22-2004 03:05 AM

Re: Filter for control flags of TCP header sought

Not yet, although I know of the tool.
Before installing libpcap and tcpdump I wanted to try the onboard toolset.
I know snoop is Solaris and thus out of bounds here, but maybe you could tell me an appropriate filter for netfmt.
I think sooner or later I'll need it on an hpux box.
Madness, thy name is system administration
0 Kudos
Biswajit Tripathy
Honored Contributor

‎12-22-2004 06:25 AM

‎12-22-2004 06:25 AM

Re: Filter for control flags of TCP header sought

You could use IPFilter to log this. Follow these
steps:

1) Get pid of "ipmon" process and kill it.

2) Set the IPFilter rule using following command:

# /sbin/ipf -Fa -f -
pass in log quick proto tcp from IP1 port = PORT1 to any flags R
'^D'

Replace IP1 and PORT1 in the above rule with the
IP address and port number of source from
where the packet is originating.

3) Run "ipmon" at the command line:
# ipmon -v

This will print a line (similar format as tcpdump)
everytime a RST packet comes in from IP1
and PORT1.

- Biswajit

:-)
0 Kudos
Todd Whitcher
Esteemed Contributor

‎12-23-2004 12:22 AM

‎12-23-2004 12:22 AM

Re: Filter for control flags of TCP header sought

Hi Ralph,

You can do this with ethereal, you can filter on source a destination IP and port and set the tcp flags equal to RST.

You can download the latest ethereal from www.ethereal.com. For HPUX you have to download some other libraries to get it working. HP has a pre-compiled version available on the internet express software package. If you go to software.hp.com and search in internet express you will find it.


It sounds like you want to capture this in real time, you can use the command line tethereal or the gui to do this. If your using the gui you can set up your filter before hand and change the display to update in real time. I dont use tethereal much but there is a man page and examples out on www.ethereal.com.

What I personally like about ethereal is the user interface and the fact that it can read
hpux nettl traces, snoop traces, tcpdump and various other trace and sniffer outputs, pretty much all of the ones I've ever had to analyze.

I hope this helps, ethereal is pretty easy to get set up and working, some of the filters can be challenging to set up but its not too bad.

Todd
0 Kudos
Todd Whitcher
Esteemed Contributor

‎12-23-2004 12:51 AM

‎12-23-2004 12:51 AM

Solution

Re: Filter for control flags of TCP header sought

Oh, and to answer your nettl/netfmt question. It doesnt filter on tcp flags. What I generally do is capture w/ nettl and read w/ ethereal since it has more options.

You could trace like this w/ nettl:

Start your trace:
nettl -tn pduin pduout -e ns_ls_ip -s 1024 -tm 99999 -f /raw0

Reproduce problem

Stop your trace

nettl -tf -e all

Then you can use ethereal to read it and filter on RST etc. The filters available for netfmt are in the man pages.

For your needs you could set up a filter like this.

$ cat filter
filter tcp.sport port_nu (source port)
filter tcp.dport port_nu (dest port)
filter ip.saddr ip_address_of_remote
filter ip.daddr ip_address_of_remote

Then

$ netfmt -Nnlf raw.TRCXX -c filter > raw.out


There are updates to nettl depending on your patches, check your man pages.

0 Kudos
rick jones
Honored Contributor

‎12-23-2004 03:11 AM

‎12-23-2004 03:11 AM

Re: Filter for control flags of TCP header sought

I'm sure someone has ported snoop to UX at some point. Still, I'd use tcpdump myself - the Internet Express bits have tcpdump, or you can go grab sources from isc.org.

In tcpdump-speak I tend to use a filter along the lines of "(tcp[13] & 7) = 1 2 or 4 when I want to find SYN FIN or RST flags in TCP segment headers. That is from memory, so you might double check that with what is in the tcp.h header file under /usr/include somewhere (I think that would be /usr/include/netinet/tcp.h) I think there is an example in the tcpdump.1 manpage

Apart from the ":1" the filter you have looks pretty much the same.
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Ralph Grothe
Honored Contributor

‎01-03-2005 02:19 AM

‎01-03-2005 02:19 AM

Re: Filter for control flags of TCP header sought

Hi guys,

many thanks for your hints.

Please also pop into this somewhat related thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=778439
Madness, thy name is system administration
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.