You are not logged in.
Hello,
I'm learning how to use tcpdump utility, and need some advise on how to filter out traffic in the following case: the computer is linked to WAN via L2TP connection, and every 10 seconds the following packet exchange happens between endpoints:
13:01:43.889785 XX:4a:a4:0d:1b:d0 (oui Unknown) > XX:27:eb:b8:ff:c8 (oui Unknown), ethertype IPv4 (0x0800), length 66: (tos 0xc0, ttl 252, id 12131, offset 0, flags [none], proto UDP (17), length 52)
    XX.21.129.83.l2f > 10.43.40.128.l2f: [no cksum]  l2tp:[OP](17857/15643) {LCP (0xc021), length 16: LCP, Echo-Request (0x09), id 184, length 14
	encoded length 12 (=Option(s) length 8)
	0x0000:  c021 09b8 000c
	  Magic-Num 0x9c680202
	  -----trailing data-----
	  0x0000:  62a6 377f}
13:01:43.890062 XX:27:eb:b8:ff:c8 (oui Unknown) > XX:4a:a4:0d:1b:d0 (oui Unknown), ethertype IPv4 (0x0800), length 64: (tos 0x0, ttl 64, id 8822, offset 0, flags [none], proto UDP (17), length 50)
    10.43.40.128.l2f > XX.21.129.83.l2f: [no cksum]  l2tp:[](20057/40440) {LCP (0xc021), length 16: LCP, Echo-Reply (0x0a), id 184, length 14
	encoded length 12 (=Option(s) length 8)
	0x0000:  c021 0ab8 000c
	  Magic-Num 0x62a6377f
	  -----trailing data-----
	  0x0000:  62a6 377f}My question is: how to efficiently filter out these packets in tcpdump? Addresses cannot be used, as well as the protocol (IPv4) and port (l2f) - these attributes are present in other traffic too. My attempted solution was to exclude all LCP (Link control protocol) packets of 64 bytes size as follows:
tcpdump not \( len == 64 and ip[50:2] == 0xc021 \)But this didn't work. Can someone suggest another solution, or maybe how to correctly implement mine?
UPDATE:
The idea of checking the packet's content for the protocol identifier seems to be working, though with the difficulty that packets of same type sometimes have different lengths and different positions of the identifier, as in this example:
14:25:03.310873 XX:27:eb:b8:ff:c8 (oui Unknown) > XX:4a:a4:0d:1b:d0 (oui Unknown), ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 4646, offset 0, flags [none], proto UDP (17), length 46)
    10.43.40.128.l2f > XX.21.129.83.l2f: [no cksum]  l2tp:[](20057/40440) {LCP (0xc021), length 12: LCP, Echo-Request (0x09), id 21, length 10
    encoded length 8 (=Option(s) length 4)
    0x0000:  c021 0915 0008
      Magic-Num 0x62a6377f}
14:25:11.910885 XX:4a:a4:0d:1b:d0 (oui Unknown) > XX:27:eb:b8:ff:c8 (oui Unknown), ethertype IPv4 (0x0800), length 66: (tos 0xc0, ttl 252, id 3245, offset 0, flags [none], proto UDP (17), length 52)
    XX.21.129.83.l2f > 10.43.40.128.l2f: [no cksum]  l2tp:[OP](17857/15643) {LCP (0xc021), length 16: LCP, Echo-Request (0x09), id 172, length 14
    encoded length 12 (=Option(s) length 8)
    0x0000:  c021 09ac 000c
      Magic-Num 0x9c680202
      -----trailing data-----
      0x0000:  62a6 377f}Inspecting the bytes in the IP packet's content seems to be the only way to deal in tcpdump with protocols packed into the IP protocol. So it seems that it's necessary to look into L2TP specification to reliably determine the position of the protocol identifier in the packet.
Last edited by nbd (2021-09-01 00:42:47)
bing different
Offline

Sanity check: you're aware of wireshark?
Online
Of course, but since Wireshark uses tcpdump as its backend, I decided to use tcpdump.
Does WS have a specialized dissector for L2TP which allows for fine grained filtering of L2TP traffic based on details of the L2TP specification?
UPDATE:
Looks like it indeed does:
https://github.com/wireshark/wireshark/ … ket-l2tp.c
Will use it as a reference for tuning up tcpdump's command line. Thanks!
Last edited by nbd (2021-09-01 01:05:43)
bing different
Offline