Back to Index page
Next: Entering and Selecting Filters
This section will assist you with building your basic filter set.
The basic filter set should include filters to capture packets on well known service ports.
The table below should get you started.
| Filter Name | Filter String |
|---|---|
| HTTP_80 | port 80 |
| DNS_53 | port 53 |
| SMTP_25 | port 25 |
| FTP_CMD_21 | port 21 |
| TELNET_23 | port 23 |
| POP3_110 | port 110 |
| SNMP_161_162 | port 161 or port 162 |
| IMAP_143 | port 143 |
| NNTP_119 | port 119 |
| LDAP_389 | port 389 |
| NCP_524 | port 524 |
| Netbios_SMB_137_138_139 | port 137 or port 138 or port 139 |
| Host based filtering | host Enter the ip address or hostname after host |
| Port based filtering | port Enter the port number after port |
| IP Fragmentation | ip[6:2] & 0x2000 = 0x2000 or ip[6:2] & 0x1fff !=0x0000 |
| IP_All | ip |
| TCP_All | tcp |
| UDP_All | udp |
| ARP_Ether | arp |
| ICMP_ALL | icmp |
| ICMP_ping | icmp[0]= 0 or icmp[0]= 8 |
| ICMP_noPing | icmp[0]!= 0 and icmp[0]!= 8 |
| IGMP | ip[9] = 2 |
| EGP | ip[9] = 8 |
| Multicast | net 224.0.0 |
| Multicast (another variation) | ip multicast |
| Multicast | ether multicast |
You can use the common packet offsets table as a shortcut to help build other filters.
Advanced Filters:
SMTP
SMTP Commands - HELO, MAIL,RCPT,DATA,RSET,SEND,SOML,SAML,VRFY,EXPN,NOOP,QUIT AND TURN:
port 25 and (tcp[12] & 0xf0 > 0x50 or tcp[20:4] = 0x48454C4F or tcp[20:4] = 0x4D41494C or tcp[20:4] = 0x52435054 or tcp[20:4] = 0x44415441 or tcp[20:4] = 0x52534554 or tcp[20:4] = 0x53454E44 or tcp[20:4] = 0x534F4D4C or tcp[20:4] = 0x53414D4C or tcp[20:4] = 0x56524659 or tcp[20:4] = 0x4558504E or tcp[20:4] = 0x4E4F4F50 or tcp[20:4] = 0x51554954 or tcp [20:4] = 0x5455524E)
SMTP Reply/response codes - 221,214,220,221,250,251,354,421,450,451,452,500,501,502,503,504,550,551,552,553 and 554:
port 25 and (tcp[12] & 0xf0 > 0x50 or tcp[20:4] = 0x32323120 or tcp[20:4] = 0x32323420 or tcp[20:4] = 0x32353020 or tcp[20:4] = 0x32353120 or tcp[20:4] = 0x33353420 or tcp[20:4] = 0x34323120 or tcp[20:4] = 0x34353020 or tcp[20:4] = 0x34353120 or tcp[20:4] = 0x34353220 or tcp[20:4] = 0x35303020 or tcp[20:4] = 0x35303120 or tcp[20:4] = 0x35303220 or tcp[20:4] = 0x35303320 or tcp[20:4] = 0x35303420 or tcp[20:4] = 0x35353020 or tcp[20:4] = 0x35353120 or tcp[20:4] = 0x35353220 or tcp[20:4] = 0x35353320 or tcp[20:4] = 0x35353420)
SMTP Commands and reply (combination of the two above with tcp options, syn, fin, or reset flag set)
port 25 and (tcp[12] & 0xf0 > 0x50 or tcp[13] & 0x07 != 0 or tcp[20:4] = 0x48454C4F or tcp[20:4] = 0x4D41494C or tcp[20:4] = 0x52435054 or tcp[20:4] = 0x44415441 or tcp[20:4] = 0x52534554 or tcp[20:4] = 0x53454E44 or tcp[20:4] = 0x534F4D4C or tcp[20:4] = 0x53414D4C or tcp[20:4] = 0x56524659 or tcp[20:4] = 0x4558504E or tcp[20:4] = 0x4E4F4F50 or tcp[20:4] = 0x51554954 or tcp [20:4] = 0x5455524E or tcp[20:4] = 0x32323120 or tcp[20:4] = 0x32323420 or tcp[20:4] = 0x32353020 or tcp[20:4] = 0x32353120 or tcp[20:4] = 0x33353420 or tcp[20:4] = 0x34323120 or tcp[20:4] = 0x34353020 or tcp[20:4] = 0x34353120 or tcp[20:4] = 0x34353220 or tcp[20:4] = 0x35303020 or tcp[20:4] = 0x35303120 or tcp[20:4] = 0x35303220 or tcp[20:4] = 0x35303320 or tcp[20:4] = 0x35303420 or tcp[20:4] = 0x35353020 or tcp[20:4] = 0x35353120 or tcp[20:4] = 0x35353220 or tcp[20:4] = 0x35353320 or tcp[20:4] = 0x35353420)
NOTE: These SMTP filters will also capture any packets to/from port 25 with tcp options.
If you want to see how to build these filters, please refer to payload filtering.
Next: Entering and Selecting Filters
Back to Index page
Please direct comments, suggestions and
questions to Mike