I use a lot , we all do , but if someone tells you to explain how it works what would you say? tcpdump Well we know that applies a number of (if told) to filter traffic before the kernel(iptables or similar) drops it , that’s why if you do something like tcpdump rules tcpdump -i any dst port 21 and you start some connections against port 21 you will see traffic even tho you might not have port 21 bound by any process (some ftp server or what not). Well that’s a fair assumption , i want to divide this article in two/three parts , the first part is about how filters ports , and shows you exactly what you want. tcpdump Let’s say I want to see all the packets going to port 21 with the SYN flag lit up? tcpdump -i any dst port 21 and tcp[13] == 2 You can go check the osi layer offsets and see why this makes sense , but the question is how is this passed to the socket (potentially RAW) so it can filter , also it’s got to be something simple and fast so the overhead is not huge Turns out that there’ss these bytecode language called bpf ( ) , that generates an expression that you can attach the socket using a (). http://www.tcpdump.org/papers/bpf-usenix93.pdf setsockopt Look at this for example , if you want to see the expression you can pass -d to : tcpdump Neat , and if you wanna how is this passed to the socket you could , for example: strace The key is , which attaches that filter that was previously shown, plus some sizeofs etc. SO_ATTACH_FILTER Apparently there’s some modules that let you attach complex bfp expressions in one single rule , meaning that your number of rules can go very deep and all in a single line , this will have tremendous impacts in the speed that rules are parsed (from an perspective). iptables iptables Let’s leave it here for now as I need to go to work , but i want to take a look to the iptables module and what happens after accept() ‘s a package , how does it hand it over to the kernel or userland process etc. tcpdump Thanks!!!!
