During checking a
/var/log/pflog file on a server in a data center, I noticed that some blocked packets had RFC 1918 addresses as source address.
This type of addresses should not be routed over the public internet. See
https://en.wikipedia.org/wiki/RFC_1918 for some info.
The technical department of the data center, asked if I could provide the MAC addresses. When using
tcpdump on a regular NIC the
-e option will show these.
Without the
-e option
tcpdump produces output like:
Code:
# tcpdump -ni fxp0 port 53
tcpdump: listening on fxp0, link-type EN10MB
02:26:46.733389 192.168.222.20.38551 > 192.168.222.10.53: 34100+ A? www.google.com. (32)
02:26:46.746836 192.168.222.10.53 > 192.168.222.20.38551: 34100 6/0/0 A 74.125.195.105, A 74.125.195.147,[|domain]
With that option:
Code:
[cmd=#]# tcpdump -e -ni fxp0 port 53
tcpdump: listening on fxp0, link-type EN10MB
02:30:58.130165 00:1f:33:f1:ff:f9 00:08:c7:05:ca:0b 0800 71: 192.168.222.20.25142 > 192.168.222.10.53: 38983+ A? openbsd.org. (29)
02:30:58.130755 00:08:c7:05:ca:0b 00:1f:33:f1:ff:f9 0800 87: 192.168.222.10.53 > 192.168.222.20.25142: 38983 1/0/0 A 199.185.137.3 (45)
Using
-e on
/var/log/pflog:
Code:
# # tcpdump -enr /var/log/pflog | less
21:40:26.900734 rule 34/(match) block in on xl0: 220.76.215.195.38002 > 77.175.189.74.54044: udp 30
21:40:26.920243 rule 34/(match) block in on xl0: 220.76.215.195.38002 > 77.175.189.74.54044: udp 20
21:40:26.920667 rule 34/(match) block in on xl0: 220.76.215.195.38002 > 77.175.189.74.54044: udp 20
So instead of the MAC address, this option shows the
pf.conf rule that triggered the logging.
So I had to come up with something else.
The following small script runs
tcpdump(8) with an expression that instructs it to only capture RFC 1918 addresses. I also added 169.254.0.0/16 network that Windows computers use, if they do not get a DHCP offer.
Code:
#!/bin/sh
#NIC=vtnet0
NIC=re0
LOG="rfc1918.pcap"
DIR="/var/log"
LOGFILE="$DIR/$LOG"
select="\
src net 10.0.0.0/8 \
or src net 192.168.0.0/16 \
or src net 172.16.0.0/12 \
or src net 169.254.0.0/16
"
echo Installing log file : $LOGFILE ...
if [ -f ${LOGFILE} ] ; then
echo $0 : saving ${LOGFILE} into $LOGFILE.old ...
mv ${LOGFILE} $LOGFILE.old
fi
# -- for FreeBSD
##install -D ${DIR} -m 660 /dev/null ${LOG}
# --- for OpenBSD
install -m 660 /dev/null ${LOGFILE}
echo $0: Starting tcpdump ...
tcpdump -tttt -s256 -en -i ${NIC} -w ${LOGFILE} ${select} &
echo
pgrep tcpdump
ps -aux | grep tcpdump
# --- end of script
Running it:
Code:
# ./checkRFC1918
Installing log file : /var/log/rfc1918.pcap ...
./checkRFC1918 : saving /var/log/rfc1918.pcap into /var/log/rfc1918.pcap.old ...
./checkRFC1918: Starting tcpdump ...
38638
tcpdump: listening on vtnet0, link-type EN10MB (Ethernet), capture size 256 bytes
root 38638 0.0 0.4 20060 4140 1 S+ 1:56AM 0:00.00 tcpdump -tttt -s256 -en -i vtnet0 -w /var/log/rfc1918.pcap src net 10.0.0.0/8 or src net 192.168.0.0/16 or src net 172.16.0.0/12
# ls -l /var/log/rfc1918.pcap*
-rw-rw---- 1 root wheel 0 Feb 7 01:56 /var/log/rfc1918.pcap
-rw-rw---- 1 root wheel 5230 Feb 7 01:22 /var/log/rfc1918.pcap.old