|
Guides All Guides and HOWTO's. |
|
Thread Tools | Display Modes |
|
|||
Capturing leaked RFC 1918 private addresses with tcpdump
During checking a /var/log/pflog file on a server in a data center, I noticed that some blocked packets had RFC 1918 addresses as source address.
This type of addresses should not be routed over the public internet. See https://en.wikipedia.org/wiki/RFC_1918 for some info. The technical department of the data center, asked if I could provide the MAC addresses. When using tcpdump on a regular NIC the -e option will show these. Without the -e option tcpdump produces output like: Code:
Code:
[cmd=#]# tcpdump -e -ni fxp0 port 53 tcpdump: listening on fxp0, link-type EN10MB 02:30:58.130165 00:1f:33:f1:ff:f9 00:08:c7:05:ca:0b 0800 71: 192.168.222.20.25142 > 192.168.222.10.53: 38983+ A? openbsd.org. (29) 02:30:58.130755 00:08:c7:05:ca:0b 00:1f:33:f1:ff:f9 0800 87: 192.168.222.10.53 > 192.168.222.20.25142: 38983 1/0/0 A 199.185.137.3 (45) Code:
So I had to come up with something else. The following small script runs tcpdump(8) with an expression that instructs it to only capture RFC 1918 addresses. I also added 169.254.0.0/16 network that Windows computers use, if they do not get a DHCP offer. Code:
#!/bin/sh #NIC=vtnet0 NIC=re0 LOG="rfc1918.pcap" DIR="/var/log" LOGFILE="$DIR/$LOG" select="\ src net 10.0.0.0/8 \ or src net 192.168.0.0/16 \ or src net 172.16.0.0/12 \ or src net 169.254.0.0/16 " echo Installing log file : $LOGFILE ... if [ -f ${LOGFILE} ] ; then echo $0 : saving ${LOGFILE} into $LOGFILE.old ... mv ${LOGFILE} $LOGFILE.old fi # -- for FreeBSD ##install -D ${DIR} -m 660 /dev/null ${LOG} # --- for OpenBSD install -m 660 /dev/null ${LOGFILE} echo $0: Starting tcpdump ... tcpdump -tttt -s256 -en -i ${NIC} -w ${LOGFILE} ${select} & echo pgrep tcpdump ps -aux | grep tcpdump # --- end of script Code:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 7th February 2014 at 02:11 AM. |
Tags |
pf.conf, pflog, rfc 1918, tcpdump |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
understanding tcpdump | frcc | OpenBSD Security | 3 | 11th April 2013 10:10 PM |
Security 1 MILLION accounts leaked in megahack on banks, websites | J65nko | News | 0 | 28th August 2012 06:29 PM |
Security Millions of Last.fm passwords leaked | J65nko | News | 0 | 8th June 2012 08:42 PM |
HostV's virtual private servers go very private | J65nko | News | 0 | 10th February 2010 05:17 AM |
i would like to know about tcpdump | chamnanpol | FreeBSD General | 8 | 17th September 2008 11:00 AM |