Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.
Tuesday, January 24, 2023
Embedded Protocol Field
The 9th field offset from 0 is the Protocol field, also known as the embedded protocol field. This field tells you what transport protocol is encapsulated. TPC, UDP and ICMP are the most common ones but it could be any valid protocol, which all have an assigned number. TCP is 0x06, UDP is 0x11 and ICMP is 0x01. There's a list at IANA for reference at https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
Primitives take care of the common ones. tcp, udp and icmp are all BPF primitives. Their equivalent would be ip[9]==0x06, for TCP as example. You could also shortcut anything less than 10 and use the decimal equivalent, for example, ip[9]==6 but it's good form to use hexadecimal as there are protocols higher than 9 and that will keep you from an error using decimal where hex is needed. It's also good form to always enclose your BPFs in single quotes. Not all expressions will require them, but if you use one that does need it you won't end up with an error to troublehshoot.
BPF Man Page: https://biot.com/capstats/bpf.html
Subscribe to:
Posts (Atom)