...how to find SYN packets directed to natted addresses where an attempt was made to connect or scan a service natted to an internal resource. I used this filter for addresses located in the range 192.168.25.6 to 192.168.25.35.
The proposed answer is this:
tcpdump -nr file '((ip[16:2] = 0xc0a8 and ip = 0x19 and ip > 0x06)\
and (ip[16:2] = 0xc0a8 and ip = 0x19 and ip < 0x23) and tcp = 0x02)'
I am sure it's clear to everyone what that means!
Given my low success rate in getting comments posted to the SANS ISC blog, I figured I would reply here.
Last fall I wrote Using Wireshark and Tshark display filters for troubleshooting. Wireshark display filters make writing such complex Berkeley Packet Filter syntax a thing of the past.
Using Wireshark display filters, a mere mortal could write the following:
tshark -nr file 'tcp.flags.syn and (ip.dst > 192.168.25.6 and ip.dst < 192.168.25.35)'
Note that if you want to be inclusive, change the > to >= and the < to <= .
To show that my filter works, I ran the filter against a file with traffic on my own 192.168.2.0/24 network, so I altered the last two octets to match my own traffic.
$ tshark -nr test.pcap 'tcp.flags.syn and (ip.dst > 192.168.2.103 and ip.dst < 192.168.2.106)'
137 2009-06-28 16:21:44.195504 220.127.116.11 -> 192.168.2.104 HTTP Continuation or non-HTTP traffic
You have plenty of other options, such as ip.src and ip.addr.
Which one do you think is faster to write and easier to understand?
Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.