IP Address Range Search with libpcap - SANS Internet Storm Center

IP Address Range Search with libpcap
This week, I received a request to search for a range of destination addresses that cannot easily done using libpcap conventional macro filters but can be done using an IP protocol filter. It is quite easy to filter for a CIDR range (i.e. /23, /24) with a libpcap macro filter but when it comes to search for an unusual list of addresses such as 192.168.25.6 to 192.168.25.35, there is no simple macro to easily do it. The following example illustrates how to find SYN packets directed to natted addresses where an attempt was made to connect or scan a service natted to an internal resource. I used this filter for addresses located in the range 192.168.25.6 to 192.168.25.35. tcpdump -nr filename '((ip[16:2] = 0xc0a8 and ip[18] = 0x19 and ip[19] > 0x06) and (ip[16:2] = 0xc0a8 and ip[18] = 0x19 and ip[19] < 0x23) and tcp[13] = 0x02)' The filter breaks down as follow: Starting IP Range ip[16:2] = 0xc0a8 -> First two octets of the IP address is 192.168 ip[18] = 0x19 -> Third octet of the IP address is 25 ip[19] > 0x06 -> Last octet of the IP address is greater than 6 Less than IP Range ip[16:2] = 0xc0a8 -> First two octets of the IP address is 192.168 ip[18] = 0x19 -> Third octet of the IP address is 25 ip[19] < 0x23 -> Last octet of the IP address is less than 35 Last Part of the Filter tcp[13] = 0x02 -> If there is a successful match, only print those with SYN packets This filter yielded for example the following results which in this case are inbound scans: 21:38:28.522588 IP xxx.x.221.157.63662 > 192.168.25.7.443: S 1279429613:1279429613(0) win 65535 <mss 1412,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp 353141033 0> 04:24:34.438872 IP xxx.xxx.253.36.55395 > 192.168.25.7.443: S 3909380827:3909380827(0) win 65535 <mss 1412,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp 3199762289 0> 04:24:49.700805 IP xx.xxx.160.65.54640 > 192.168.25.7.443: S 520695074:520695074(0) win 65535 <mss 1412,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp 2595387575 0> 05:20:18.618965 IP xxx.xxx.124.41.49734 > 192.168.25.7.443: S 3595559815:3595559815(0) win 65535 <mss 1412,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp 1555543940 0> This same filter could easily be expended to include search for a specific port instead of any ports to further narrow the search. Handler on Duty Guy Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org Teaching Comprehensive Packet Analysis in Ottawa, ON this coming September	Guy 439 Posts ISC Handler
Subscribe	Jun 28th 2009 9 years ago
Alternatively, there is a perl script called cidr_range.pl that I found. It takes a range of IPs and converts them to CIDR. Your range would be the same as these four CIDR ranges: 192.168.25.6/31, 192.168.25.8/29, 192.168.25.16/28, and 192.168.25.32/30. That's not nearly as elegant, but for someone who is afraid of digging into the bits, they can get the same result with less brain hurting.	Jasey 93 Posts
Quote	Jun 29th 2009 9 years ago
Richard Bejtlich blogged about an alternative approach that is easier to read, using wireshark/tshark display filters: http://taosecurity.blogspot.com/2009/06/simpler-ip-range-matching-with-tshark.html	Andrew 41 Posts
Quote	Jun 29th 2009 9 years ago

This week, I received a request to search for a range of destination addresses that cannot easily done using libpcap conventional macro filters but can be done using an IP protocol filter. It is quite easy to filter for a CIDR range (i.e. /23, /24) with a libpcap macro filter but when it comes to search for an unusual list of addresses such as 192.168.25.6 to 192.168.25.35, there is no simple macro to easily do it.

The following example illustrates how to find SYN packets directed to natted addresses where an attempt was made to connect or scan a service natted to an internal resource. I used this filter for addresses located in the range 192.168.25.6 to 192.168.25.35.

tcpdump -nr filename '((ip[16:2] = 0xc0a8 and ip[18] = 0x19 and ip[19] > 0x06) and (ip[16:2] = 0xc0a8 and ip[18] = 0x19 and ip[19] < 0x23) and tcp[13] = 0x02)'

The filter breaks down as follow:

Starting IP Range

ip[16:2] = 0xc0a8 -> First two octets of the IP address is 192.168
ip[18] = 0x19       -> Third octet of the IP address is 25
ip[19] > 0x06    -> Last octet of the IP address is greater than 6

Less than IP Range

ip[16:2] = 0xc0a8 -> First two octets of the IP address is 192.168
ip[18] = 0x19       -> Third octet of the IP address is 25
ip[19] < 0x23   -> Last octet of the IP address is less than 35

Last Part of the Filter

tcp[13] = 0x02    -> If there is a successful match, only print those with SYN packets

This filter yielded for example the following results which in this case are inbound scans:

21:38:28.522588 IP xxx.x.221.157.63662 > 192.168.25.7.443: S 1279429613:1279429613(0) win 65535 <mss 1412,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp 353141033 0>
04:24:34.438872 IP xxx.xxx.253.36.55395 > 192.168.25.7.443: S 3909380827:3909380827(0) win 65535 <mss 1412,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp 3199762289 0>
04:24:49.700805 IP xx.xxx.160.65.54640 > 192.168.25.7.443: S 520695074:520695074(0) win 65535 <mss 1412,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp 2595387575 0>
05:20:18.618965 IP xxx.xxx.124.41.49734 > 192.168.25.7.443: S 3595559815:3595559815(0) win 65535 <mss 1412,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp 1555543940 0>

This same filter could easily be expended to include search for a specific port instead of any ports to further narrow the search.

Handler on Duty

Guy

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Teaching Comprehensive Packet Analysis in Ottawa, ON this coming September

Guy

439 Posts
ISC Handler

Alternatively, there is a perl script called cidr_range.pl that I found. It takes a range of IPs and converts them to CIDR. Your range would be the same as these four CIDR ranges: 192.168.25.6/31, 192.168.25.8/29, 192.168.25.16/28, and 192.168.25.32/30. That's not nearly as elegant, but for someone who is afraid of digging into the bits, they can get the same result with less brain hurting.

Jasey

93 Posts

Richard Bejtlich blogged about an alternative approach that is easier to read, using wireshark/tshark display filters:

http://taosecurity.blogspot.com/2009/06/simpler-ip-range-matching-with-tshark.html

Andrew

41 Posts