Monday, February 13, 2012

Using Filter Files

tcpdump will read BPF's from a file, using the -F switch, making it easy to reuse long, complex or just difficult to remember filters. Unfortunately, there is no way to use a multi-line file, so you must create one file for one filter. To make this a little easier you can create a directory and put all your filter files in it and then set a environment variable for it, like bpf=/home/jeff/netsec/bpf_filters. They you can use the $bpf variable in your command. Tab completion will let you choose between similarly named filters like "syn_only" and "syn-ack_only". You'll probably want to make your filter names as intuitive as possible, but if you find yourself constructing filters to string four or five or more conditions, giving it an (accurate) name that isn't almost as long as the filter itself can be problematic. So, another way to do this is to create a text file with a list of of all your filters, giving each file a number as a name. Then, to use that filter to check for source routing, all you need to do is specify -F . Much easier than typing out a BPF like:
'ip[0] & 0x0F > 5 and (ip[20] = 0x89 or ip[20] = 0x83)'.

No comments:

Blog Archive