Or dst net 192.168.0.0 mask 255.255.255.0Ĭapture only DNS (port 53) traffic: port 53Ĭapture non-HTTP and non-SMTP traffic on your server (both are equivalent): host and not (port 80 or port 25)Ĭapture except all ARP and DNS traffic: port not 53 and not arpĬapture traffic within a range of ports (tcp > 1500 and tcp 1500 and tcp > 2" figures out the TCP header length. From Jefferson Ogata via the tcpdump-workers mailing list. Welchia worm: icmp=icmp-echo and ip=92 and icmp=0xAAAAAAAA ones that describe or show the actual payload?)īlaster worm: dst port 135 and tcp port 135 and ip=48 port 80 and tcp & 0xf0) > 2):4] = 0x47455420īlaster and Welchia are RPC worms. The filter looks for an icmp echo request that is 92 bytes long and has an icmp payload that begins with 4 bytes of A's (hex).
It is the signature of the welchia worm just before it tries to compromise a system. Many worms try to spread by contacting other hosts on ports 135, 445, or 1433. This filter is independent of the specific worm instead it looks for SYN packets originating from a local network on those specific ports. dst port 135 or dst port 445 or dst port 1433 and tcp & (tcp-syn) != 0 and tcp & (tcp-ack) = 0 and src net 192.168.0.0/24 Please change the network filter to reflect your own network. Wireshark tries to determine if it's running remotely (e.g. Not (tcp port srcport and addr_family host srchost and tcp port dstport) Not (tcp port srcport and addr_family host srchost and tcp port dstport and addr_family host dsthost) It does this by checking environment variables in the following order: Environment Variable via SSH or Remote Desktop), and if so sets a default capture filter that should block out the remote session traffic.
0 kommentar(er)
