By Richard Bejtlich, Principal Safety Strategist, Corelight
This submit comprises a warning and an answer for anybody utilizing BPF syntax when filtering site visitors for community safety monitoring.
I’ve been writing materials for the Zeek documentation challenge. I used to be gathering a pattern hint in my dwelling lab, which features a Ubiquiti change. The change on this setup sends a replica of site visitors on its uplink through a SPAN port to a community safety monitoring sensor. On the sensor, I collected site visitors utilizing Tcpdump, with an IP handle filter for a Raspberry Pi. On the Pi, I used the Linux “curl” command to go to www.taosecurity.com. Right here is the command I used to gather the site visitors:
As you would possibly anticipate, Tcpdump collected DNS requests and responses along with the TCP site visitors to and from port 443 TCP on the Internet server. Right here is the start of the site visitors:
The primary 4 datagrams are DNS requests and responses. The following three segments are the TCP three-way handshake.
I made a decision that I needed to filter out the DNS site visitors for the doc I used to be creating. I used the next Berkeley Packet Filter (BPF) syntax to view a subset of the unique site visitors:
That is certainly TCP site visitors. Nevertheless, the entire site visitors originates from the Internet server at 220.127.116.11. There isn’t any preliminary SYN from the Internet shopper, or a closing ACK to complete the three-way handshake.
I had a suspicion about what might be inflicting this, so I made a decision to take a more in-depth look utilizing Wireshark.
Discover within the earlier determine the VLAN tag that I’ve highlighted in body 5. These VLAN tags create a four byte offset, making “regular” BPF syntax incorrect. Initially I believed that each one of this site visitors would have a VLAN tag, making it pretty easy for me to regulate to this example. I might change my BPF from “tcp” to “vlan and tcp”.
Nevertheless, I regarded on the subsequent section to see if that reply would actually repair my downside.
Body 6 doesn’t have a VLAN tag. In different phrases, now we have a “combined VLAN tag” state of affairs.
If I add “vlan and tcp” because the BPF, I’ll get outcomes like this:
Now I’m solely seeing site visitors originating from the Pi, and not one of the responses from the Internet server.
In an effort to deal with the combined VLAN tagging, I would like to make use of a filter like the next:
Observe that the next doesn’t work:
I depart it as an train for the reader to determine why. You would possibly need to run every command with the -d choice to supply the BPF byte code. For extra info, please see these posts:
I ought to point out that one of many first indications I had that one thing was flawed with the preliminary filter occurred after I ran Zeek towards it. Right here is the conn.log entry for the Internet site visitors with the inaccurate filter:
It’s suspicious to see the originator ship zero bytes, zero packets, and zero IP bytes. The connection state can be bizarre. In line with the scripting handbook, SHR means “Responder despatched a SYN ACK adopted by a FIN. We by no means noticed a SYN from the originator.”
Right here is the conn.log entry for the Internet site visitors with the proper filter:
Now now we have a SSL service recognized, non-zero byte and packet counts, and a standard TCP historical past discipline. Decoding the historical past discipline utilizing the scripting reference, now we have the next:
It is a regular connection historical past for a benign session, as was the case with this site visitors.
I don’t know why site visitors in a single path has a VLAN tag, whereas the opposite path doesn’t. I should analysis it additional.
I hope this text has helped if you happen to encounter related points!
I’d wish to thank Christian Rossow for his submit on the identical syntax:
*** It is a Safety Bloggers Community syndicated weblog from Shiny Concepts Weblog authored by Richard Bejtlich. Learn the unique submit at: https://corelight.weblog/2020/08/27/mixed-vlan-tags-and-bpf-syntax/
linux tcpdump vlan id,tcpdump vlan dhcp,tcpdump remove vlan tag,tcpdump tagged packets,tcpdump ethertype,wireshark vlan tag,bpf filter examples,berkeley packet filter tutorial,scapy bpf filter,bpf filter wireshark,brf filter,setbpffilter,bpf filter multiple ports,berkeley packet filter wireshark,berkeley packet filter freenas,pcap-filter examples,linux pcap filter,pcap_compile example,filter pcap file,tcpdump ether,tcpdump filter ethertype,vlan tagging example,vlan header in ethernet frame,vlan tagging vs trunking,was ist tagging vlan,what is untagged network,virtual local area network (vlan) header?,tcpdump display vlan tag,f5 tcpdump vlan,f5 tcpdump lacp,f5 tcpdump capture icmp,f5 tcpdump limit,tcpdump garp,tcp dump vlan id,man tcpdump,bpf syntax checker,bpf filter syntax,tcpdump vlan filter not working