portrange with tcpdump

Discussion:

Daniel Bareiro

2010-05-25 16:26:21 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all!

I'm trying to use tcpdump in OpenBSD 4.6 with a syntax similar to the
following:

# tcpdump -vvv udp and port 5060 or portrange 10000-2000 -s0 \
-i eht0 -w eavesdropping_ulaw.dump

In this case, the interface is em0, but I see that with this tcpdump
version there is no parameter 'portrange'. I'm using a version compiled
with the source code obtained by anoncvs, because I wanted to install
with pkg_add but was not available. I tried as follows, but without
success:

# tcpdump -vv udp and port 5060 or "port >= 10000 and port <= 20000" -s0 \

-i em0 -w eavesdropping_ulaw.dump

tcpdump: syntax error

Thanks in advance for your reply.

Regards,
Daniel
iEYEARECAAYFAkv7+mYACgkQZpa/GxTmHTdQ2wCeLsz+Zv0ad6I+IMr7S+NgBBZU
oAAAn2C2eLJyhqS0KHN1rHZiHK2kbWHy
=Pbeq
-----END PGP SIGNATURE-----

Philip Guenther

2010-05-25 17:14:50 UTC

Permalink

Post by Daniel Bareiro
I'm trying to use tcpdump in OpenBSD 4.6 with a syntax similar to the
# tcpdump -vvv udp and port 5060 or portrange 10000-2000 -s0 \
-i eht0 -w eavesdropping_ulaw.dump
In this case, the interface is em0, but I see that with this tcpdump
version there is no parameter 'portrange'. I'm using a version compiled
with the source code obtained by anoncvs, because I wanted to install
with pkg_add but was not available. I tried as follows, but without
# tcpdump -vv udp and port 5060 or "port >= 10000 and port <= 20000" -s0 \

-i em0 -w eavesdropping_ulaw.dump

tcpdump: syntax error

Repeat after me: options go BEFORE positional arguments. That command
line should be written as

tcpdump -vv -s0 -i em0 -w eavesdropping_ulaw.dump udp and port 5060 or
"port >= 10000 and port <= 20000"

GNU libc uses a version of getopt() that reorders the command line to
accept options after positional arguments, so you might have gotten
used to the broken syntax on Linux systems, but it violates the POSIX
standard and can create security and portability bugs. Some programs
have to explicitly use _another_ GNU extension to disable the behavior
in order to work on such systems. Thanks, GNU!

Philip Guenther

Daniel Bareiro

2010-05-25 18:01:23 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, Philip Guenther.

Post by Philip Guenther

Post by Daniel Bareiro
I'm trying to use tcpdump in OpenBSD 4.6 with a syntax similar to the
# tcpdump -vvv udp and port 5060 or portrange 10000-2000 -s0 \
-i eht0 -w eavesdropping_ulaw.dump
In this case, the interface is em0, but I see that with this tcpdump
version there is no parameter 'portrange'. I'm using a version
compiled with the source code obtained by anoncvs, because I wanted
to install with pkg_add but was not available. I tried as follows,
# tcpdump -vv udp and port 5060 or "port >= 10000 and port <= 20000" -s0 \

-i em0 -w eavesdropping_ulaw.dump

tcpdump: syntax error

Repeat after me: options go BEFORE positional arguments. That command
line should be written as
tcpdump -vv -s0 -i em0 -w eavesdropping_ulaw.dump udp and port 5060 or
"port >= 10000 and port <= 20000"
GNU libc uses a version of getopt() that reorders the command line to
accept options after positional arguments, so you might have gotten
used to the broken syntax on Linux systems, but it violates the POSIX
standard and can create security and portability bugs. Some programs
have to explicitly use _another_ GNU extension to disable the behavior
in order to work on such systems. Thanks, GNU!

Interesting difference. Thanks for the explanation. I tried the syntax
you suggest (I had to remove the "-s0" as mentioned IC1igo, because
otherwise I get "invalid snaplen 0") but neither worked:

bsd:~# tcpdump -vv -i em0 -w eavesdropping_ulaw.dump udp and port 5060 \

Post by Philip Guenther
or "port >= 10000 and port <= 20000"

tcpdump: syntax error

Thanks for your reply.

Regards,
Daniel
iEYEARECAAYFAkv8EK0ACgkQZpa/GxTmHTeX8wCfa+2/0yVmDulxCyPz+CPvzGTe
v9oAmgLWAaXu6CvBlxbnIFsGocQ1s550
=XmBk
-----END PGP SIGNATURE-----

Jan Stary

2010-05-25 17:24:35 UTC

Permalink

Post by Daniel Bareiro
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all!
I'm trying to use tcpdump in OpenBSD 4.6 with a syntax similar to the
# tcpdump -vvv udp and port 5060 or portrange 10000-2000 -s0 \
-i eht0 -w eavesdropping_ulaw.dump
In this case, the interface is em0, but I see that with this tcpdump
version there is no parameter 'portrange'. I'm using a version compiled
with the source code obtained by anoncvs, because I wanted to install
with pkg_add but was not available.

tcpdump is a part of the base install.

Post by Daniel Bareiro
I tried as follows, but without
# tcpdump -vv udp and port 5060 or "port >= 10000 and port <= 20000" -s0 \

-i em0 -w eavesdropping_ulaw.dump

tcpdump: syntax error
Thanks in advance for your reply.
Regards,
Daniel
iEYEARECAAYFAkv7+mYACgkQZpa/GxTmHTdQ2wCeLsz+Zv0ad6I+IMr7S+NgBBZU
oAAAn2C2eLJyhqS0KHN1rHZiHK2kbWHy
=Pbeq
-----END PGP SIGNATURE-----

Stuart Henderson

2010-05-25 17:25:00 UTC

Permalink

Post by Daniel Bareiro
I'm trying to use tcpdump in OpenBSD 4.6 with a syntax similar to the
# tcpdump -vvv udp and port 5060 or portrange 10000-2000 -s0 \
-i eht0 -w eavesdropping_ulaw.dump

you can do something like

# tcpdump -vvv -n -s 1500 'udp and port 5060 or (udp[0:2] >= 10000 and
udp[0:2] <= 20000) or (udp[2:2] >= 10000 and udp[2:2] <= 20000)'

if interested in how this works, look at the udp header format.
http://www.rhyshaden.com/udp.htm

Post by Daniel Bareiro
In this case, the interface is em0, but I see that with this tcpdump
version there is no parameter 'portrange'. I'm using a version compiled
with the source code obtained by anoncvs, because I wanted to install
with pkg_add but was not available. I tried as follows, but without

tcpdump from OpenBSD base is quite different from the tcpdump.org version.
notably it has privilege separation. you do *not* want to run the dissectors
as root. (if you must use their code, capture and write to a file, then
run the dissectors on the file *as an unprivileged user*).

Post by Daniel Bareiro
# tcpdump -vv udp and port 5060 or "port >= 10000 and port <= 20000" -s0 \

-i em0 -w eavesdropping_ulaw.dump

tcpdump: syntax error

here, you are mixing up options with your filter. it certainly won't work
with our version, I'd be surprised if it works with theirs.

Daniel Bareiro

2010-05-25 19:19:56 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, Stuart.

Post by Stuart Henderson

Post by Daniel Bareiro
I'm trying to use tcpdump in OpenBSD 4.6 with a syntax similar to the
# tcpdump -vvv udp and port 5060 or portrange 10000-2000 -s0 \
-i eht0 -w eavesdropping_ulaw.dump

you can do something like
# tcpdump -vvv -n -s 1500 'udp and port 5060 or (udp[0:2] >= 10000 and
udp[0:2] <= 20000) or (udp[2:2] >= 10000 and udp[2:2] <= 20000)'
if interested in how this works, look at the udp header format.
http://www.rhyshaden.com/udp.htm

Perfect! This really worked for me :)

Post by Stuart Henderson

Post by Daniel Bareiro
In this case, the interface is em0, but I see that with this tcpdump
version there is no parameter 'portrange'. I'm using a version
compiled with the source code obtained by anoncvs, because I wanted
to install with pkg_add but was not available. I tried as follows,

Thanks for pointing out these differences.

Post by Stuart Henderson

Post by Daniel Bareiro
# tcpdump -vv udp and port 5060 or "port >= 10000 and port <= 20000" -s0 \

-i em0 -w eavesdropping_ulaw.dump

tcpdump: syntax error

here, you are mixing up options with your filter. it certainly won't work
with our version, I'd be surprised if it works with theirs.

Well, now that I've tested, it does not work. But using the syntax of
your example, works on both OpenBSD and GNU / Linux

Thank you very much for your answer.

Regards,
Daniel
iEYEARECAAYFAkv8IxYACgkQZpa/GxTmHTc4vwCgi2TF9KT4O4szHb5JI4v9eCT2
HC8An1NC9Ai7lqklDgTz6Di4kzvPMLlR
=JWSs
-----END PGP SIGNATURE-----

Iñigo Ortiz de Urbina

2010-05-25 17:33:20 UTC

Permalink

No pkg_add needed, its part of the base install:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/tcpdump/

Post by Daniel Bareiro
# tcpdump -vv udp and port 5060 or "port >= 10000 and port <= 20000" -s0 \

-i em0 -w eavesdropping_ulaw.dump

tcpdump: syntax error
Thanks in advance for your reply.
Regards,
Daniel
iEYEARECAAYFAkv7+mYACgkQZpa/GxTmHTdQ2wCeLsz+Zv0ad6I+IMr7S+NgBBZU
oAAAn2C2eLJyhqS0KHN1rHZiHK2kbWHy
=Pbeq
-----END PGP SIGNATURE-----

Also, does -s0 work on OpenBSD? I thought it was a GNU/Linux and
FreeBSDish hack. On OpenBSD, shouldnt it manually be set to whatever
your MTU is?

Daniel Bareiro

2010-05-25 18:23:50 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, IC1igo.

Post by IÃ±igo Ortiz de Urbina

Post by Daniel Bareiro
I'm trying to use tcpdump in OpenBSD 4.6 with a syntax similar to the
# tcpdump -vvv udp and port 5060 or portrange 10000-2000 -s0 \
-i eht0 -w eavesdropping_ulaw.dump
In this case, the interface is em0, but I see that with this tcpdump
version there is no parameter 'portrange'. I'm using a version
compiled with the source code obtained by anoncvs, because I wanted
to install with pkg_add but was not available. I tried as follows,

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/tcpdump/

Hmmm... yes, when I got the sources using anoncvs, I saw the tcpdump
source in /usr/src/usr.sbin. I'm surprised it have not been available
before, then, since that is part of the base install.

Post by IÃ±igo Ortiz de Urbina

Post by Daniel Bareiro
# tcpdump -vv udp and port 5060 or "port >= 10000 and port <= 20000" -s0 \

-i em0 -w eavesdropping_ulaw.dump

tcpdump: syntax error

Also, does -s0 work on OpenBSD? I thought it was a GNU/Linux and
FreeBSDish hack. On OpenBSD, shouldnt it manually be set to whatever
your MTU is?

As I said to Philip, this does not work :(

Thanks for your reply.

Regards,
Daniel
iEYEARECAAYFAkv8Fe8ACgkQZpa/GxTmHTcSeACfTS2OnMof63NhEezYx6TEoJEZ
cfkAn3NgJ5pTQOsY/0dZJ9NyrHl5cKlc
=g5qw
-----END PGP SIGNATURE-----