1

I'm collecting pcap data on servers, and I'd like to only collect packets corresponding to inbound connections. Note that I am not looking to filter to inbound packets, but remove both outbound and inbound packets that correspond to conversations initiated by the host. Traffic spans a variety of ports, including those often used for outbound traffic, so restricting by port range is not acceptable.

I can think of a few ways to fix this, none of which are ideal:

  • Restrict outbound connections to a very small range of ports and ignore those entirely. I'd like to collect incoming traffic regardless of port, so this is not great.
  • Assign a second IP to the host and route incoming/outgoing connections over separate IPs. This will complicate configuration.

I'm currently using tcpdump port not 22 to capture everything but inbound ssh. Ideally I'd like to filter outbound conversations at record time, but it would also be acceptable to filter the pcaps later. Is there a succinct way to achieve this using either tcpdump or tshark?

Eric Pauley
  • 623
  • 2
  • 6
  • 14
  • Is it safe to assume you only care about TCP? Is it also safe to assume you want to see all TCP sessions initiated by any remote host, even if the traffic flow in that session is primarily outbound (like if some remote host issues an HTTP GET of a large file, it initiated the connection even though almost all of the data on that connection ends up going in the outbound direction; so you still want to see it because it was initiated by the remote host)? – Spiff Oct 16 '20 at 03:27
  • I'd also like to collect inbound UDP but am willing to accept that, since UDP is stateless, I'd get some responses from outbound traffic. Also correct on large replies, I want all packets corresponding to inbound connections, even if the conversation is dominated by responses from my server. Note that, in my specific case, this will probably not occur often. My understanding is that tcpdump is stateless, so this probably can't be done there. Could I use a lua script to track tcp conversations and filter? – Eric Pauley Oct 16 '20 at 15:26
  • For tcpdump incoming to 192.168.0.1 try : `tcpdump -i eth0 ip -X dst host 192.168.0.1`. Does this work for you? – harrymc Oct 19 '20 at 18:29
  • @harrymc No, this filters at the packet level, whereas I am looking to filter at the *conversation level*, meaing that both inbound and outbound packets are filtered if they correspond to an outbound TCP connection. – Eric Pauley Oct 20 '20 at 17:18
  • what's the "conversation level"? do you mean session? – Albin Oct 20 '20 at 17:42
  • @Albin correct. Packets belonging to a TCP session should be kept if and only if that session was initiated inbound to the host. Otherwise, they should be filtered. – Eric Pauley Oct 20 '20 at 17:49
  • Are the servers where you collect the pcap data production servers or testing servers? – Binarus Oct 21 '20 at 14:48
  • @Binarus The servers are publically accessible and receive traffic on a wide variety of ports, not knowable in advance. They also initiate outbound connections. – Eric Pauley Oct 21 '20 at 18:10

1 Answers1

0

While I haven't found a way to do this in tshark/tcpdump, the following rules in Snort can be used to do this filtering on TCP connections:

log tcp any any -> $HOME_NET any (flow:to_server;sid:1000001;)
log tcp $HOME_NET any -> any any (flow:to_client;sid:1000002;)

You can also use Snort's tagging to accomplish something similar, but the max session duration must be limited in bytes,seconds,or packets:

log tcp any any -> $HOME_NET any (flags:S;tag:session,0,packets,1000000,bytes;sid:1000000;)
Eric Pauley
  • 623
  • 2
  • 6
  • 14