Académique Documents
Professionnel Documents
Culture Documents
packetlife.net
6891-6901 Windows Live 6970 Quicktime 7212 GhostSurf 7648-7649 CU-SeeMe 8000 Internet Radio 8080 HTTP Proxy 8086-8087 Kaspersky AV 8118 Privoxy 8200 VMware Server 8500 Adobe ColdFusion 8767 TeamSpeak 8866 Bagle.B 9100 HP JetDirect 9101-9103 Bacula 9119 MXit 9800 WebDAV 9898 Dabber 9988 Rbot/Spybot 9999 Urchin 10000 Webmin 10000 BackupExec 10113-10116 NetIQ 11371 OpenPGP 12035-12036 Second Life 12345 NetBus 13720-13721 NetBackup 14567 Battlefield 15118 Dipnet/Oddbob 19226 AdminSecure 19638 Ensim 20000 Usermin 24800 Synergy 25999 Xfire 27015 Half-Life 27374 Sub7 28960 Call of Duty 31337 Back Orifice 33434+ traceroute Legend Chat Encrypted Gaming Malicious Peer to Peer Streaming
by Jeremy Stretch
v1.1
SUBNETTING
Subnet Chart CIDR Subnet Mask Addresses 1 2 4 8 16 32 64 128 256 512 1,024 2,048 4,096 8,192 16,384 32,768 65,536 131,072 262,144 524,288 1,048,576 2,097,152 4,194,304 8,388,608 16,777,216 33,554,432 67,108,864 134,217,728 268,435,456 536,870,912 1,073,741,824 2,147,483,648 4,294,967,296 Wildcard 0.0.0.0 0.0.0.1 0.0.0.3 0.0.0.7 0.0.0.15 0.0.0.31 0.0.0.63 0.0.0.127 0.0.0.255 0.0.1.255 0.0.3.255 0.0.7.255 0.0.15.255 0.0.31.255 0.0.63.255 0.0.127.255 0.0.255.255 0.1.255.255 0.3.255.255 0.7.255.255 0.15.255.255 0.31.255.255 0.63.255.255 0.127.255.255 0.255.255.255 1.255.255.255 3.255.255.255 7.255.255.255 15.255.255.255 31.255.255.255 63.255.255.255 127.255.255.255 255.255.255.255 Terminology
-
packetlife.net Decimal to Binary Subnet Mask 255 1111 1111 254 1111 1110 252 1111 1100 248 1111 1000 240 1111 0000 224 1110 0000 192 1100 0000 128 1000 0000 0 0000 0000 Wildcard 0 0000 0000 1 0000 0001 3 0000 0011 7 0000 0111 15 0000 1111 31 0001 1111 63 0011 1111 127 0111 1111 255 1111 1111
/32 255.255.255.255 /31 255.255.255.254 /30 255.255.255.252 /29 255.255.255.248 /28 255.255.255.240 /27 255.255.255.224 /26 255.255.255.192 /25 255.255.255.128 /24 255.255.255.0 /23 255.255.254.0 /22 255.255.252.0 /21 255.255.248.0 /20 255.255.240.0 /19 255.255.224.0 /18 255.255.192.0 /17 255.255.128.0 /16 255.255.0.0 /15 255.254.0.0 /14 255.252.0.0 /13 255.248.0.0 /12 255.240.0.0 /11 255.224.0.0 /10 255.192.0.0 /9 255.128.0.0 /8 255.0.0.0 /7 254.0.0.0 /6 252.0.0.0 /5 248.0.0.0 /4 240.0.0.0 /3 224.0.0.0 /2 192.0.0.0 /1 128.0.0.0 /0 0.0.0.0
Subnet Proportion
Classful Ranges A 0.0.0.0 - 127.255.255.255 B 128.0.0.0 - 191.255.255.255 C 192.0.0.0 - 223.255.255.255 D 224.0.0.0 - 239.255.255.255 E 240.0.0.0 - 255.255.255.255 Reserved Ranges RFC1918 10.0.0.0 - 10.255.255.255 Localhost 127.0.0.0 - 127.255.255.255 RFC1918 172.16.0.0 - 172.31.255.255 RFC1918 192.168.0.0 - 192.168.255.255 Determine Usable Hosts
Total Addresses Subnet ID Broadcast Address Usable hosts 256 1 1 254
CIDR Classless interdomain routing was developed to VLSM Variable length subnet masks are an arbitrary length provide more granularity than legacy classful addressing; between 0 and 32 bits; CIDR relies on VLSMs to define routes masks expressed in the form /XX are in CIDR notation
by Jeremy Stretch
v1.0
packetlife.net
BPDU Format Field Protocol ID Version BPDU Type Flags Root ID Root Path Cost Bridge ID Port ID Message Age Max Age Hello Time Forward Delay Bits 16 8 8 8 64 32 64 16 16 16 16 16
Link Costs Bandwidth 4 Mbps 10 Mbps 16 Mbps 45 Mbps 100 Mbps 155 Mbps Cost 250 100 62 39 19 14 6 4 2
Open Standards
IEEE 802.1D-1998 Deprecated legacy STP standard IEEE 802.1w Introduced Rapid STP (RSTP) IEEE 802.1D-2004 Replaced legacy STP with RSTP IEEE 802.1s Introduced Multiple Spanning Tree (MST) IEEE 802.1Q-2003 Added MST to 802.1Q
Port States Legacy ST Disabled Blocking Listening Learning Forwarding Rapid ST Discarding Discarding Discarding Learning Forwarding
Spanning Tree Operation 1 Determine root bridge 2 Select root port The bridge advertising the lowest bridge ID becomes the root bridge Each bridge selects its primary port facing the root
Port Roles Legacy ST Root Designated Blocking Blocking Rapid ST Root Designated Alternate Backup v2.0
3 Select designated ports One designated port is selected per segment 4 Block ports with loops by Jeremy Stretch All non-root and non-desginated ports are blocked
Priority 4-bit configurable priority (configurable from 0 to 61440 in increments of 4096) System ID Extension 12-bit value taken from VLAN number MAC Address 48-bit value to ensure uniqueness
Path Selection 1 Prefer the neighbor advertising the lowest root ID 2 Prefer the neighbor advertising the lowest cost to root 3 Prefer the neighbor with the lowest bridge ID 4 Prefer the lowest sender port ID Optional PVST+ Ehancements PortFast Enables
immediate transition forwarding state on edge ports paths to root into the
UplinkFast Enables access switches to maintain backup BackboneFast Enables immediate expiration of the Max Age
timer on an indirect link failure
Spanning Tree Protection Root Guard Prevents a port from becoming the root port BPDU Guard Error disables a port if a BPDU is received Loop Guard Prevents a blocked port from transitioning to
listening after the Max Age timer has expired
MST Configuration
! Set STP type spanning-tree mode mst ! MST Configuration spanning-tree mst configuration name MyTree revision 1 ! Map VLANs to instances instance 1 vlan 20, 30 instance 2 vlan 40, 50 ! Bridge priority (per instance) spanning-tree mst 1 priority 32768 ! Timers, in seconds spanning-tree mst hello-time 2 spanning-tree mst forward-time 15 spanning-tree mst max-age 20 ! Maximum hops for BPDUs spanning-tree mst max-hops 20 ! Interface attributes interface FastEthernet0/1 spanning-tree mst 1 port-priority 128 spanning-tree mst 1 cost 19
BPDU Filter Blocks BPDUs on an interface RSTP Link Types Point-to-Point Connects to exactly one other bridge (a full
duplex interface)
Troubleshooting show spanning-tree [summary | detail] show spanning-tree root show spanning-tree vlan <VLAN> show spanning-tree interface <interface> show spanning-tree mst [<instance>] [detail] show spanning-tree mst configuration show spanning-tree mst interface <interface> v2.0
by Jeremy Stretch
VLANS
Trunk Encapsulation Ethernet Header Trunk Types
packetlife.net
802.1Q Header Size 4 bytes Trailer Size N/A Standard IEEE Maximum VLANs 4094 Command dot1q VLAN Numbers 0 Reserved
VLAN Creation
Switch(config)# vlan 100 Switch(config-vlan)# name Engineering
Terminology
Trunking Extending multiple VLANs over the same physical connection Native VLAN By default, frames in this VLAN are untagged when sent across a trunk Access VLAN The VLAN to which an access port is assigned Voice VLAN If configured, enables minimal trunking to support voice traffic in addition to data traffic on an access port Dynamic Trunking Protocol (DTP) Can be used to automatically establish trunks between capable ports; carries a security risk Switched Virtual Interface (SVI) A virtual interface which provides a routed gateway into and out of a VLAN
SVI Configuration
Switch(config)# interface vlan100 Switch(config-if)# ip address 192.168.100.1 255.255.255.0
VTP Configuration
Switch(config)# Switch(config)# Switch(config)# Switch(config)# Switch(config)# vtp vtp vtp vtp vtp mode server domain LASVEGAS password Presl3y version 2 pruning
show interface status show interface switchport show interface trunk show vtp status show vtp password
by Jeremy Stretch
v1.2
packetlife.net Protocols Comparison HSRP Standard RFC 2281 Load Balancing No IPv6 Support Yes Transport UDP 1985 Default Priority 100 Default Hello 3s Multicast Group 224.0.0.2 VRRP Operation VRRP RFC 3768 No No IP 112 100 1s 224.0.0.18 GLBP Cisco Yes Yes UDP 3222 100 3s 224.0.0.102
HSRP Operation
GLBP Operation
HSRP Configuration
interface FastEthernet0/0 ip address 10.0.1.2 255.255.255.0 standby version {1 | 2} standby 1 ip 10.0.1.1 standby 1 timers <hello> <dead> standby 1 priority <priority> standby 1 preempt standby 1 authentication md5 key-string <password> standby 1 track <interface> <value> standby 1 track <object> decrement <value>
Active Virtual Gateway (AVG) Answers for the virtual router and assigns virtual MAC addresses to group members Active Virtual Forwarder (AVF) All routers which forward traffic for the group (may include the AVG)
GLBP Configuration
interface FastEthernet0/0 ip address 10.0.1.2 255.255.255.0 glbp 1 ip 10.0.1.1 glbp 1 timers <hello> <dead> glbp 1 timers redirect <redirect> <time-out> glbp 1 priority <priority> glbp 1 preempt glbp 1 forwarder preempt glbp 1 authentication md5 key-string <password> glbp 1 load-balancing <method> glbp 1 weighting <weight> lower <lower> upper <upper> glbp 1 weighting track <object> decrement <value>
Troubleshooting show standby [brief] show glbp [brief] show vrrp [brief] show track [brief]
by Jeremy Stretch
v1.0
Hello Address 224.0.0.2 Hello Port UDP 646 Adjacency Port TCP 646 Proprietary No
Terminology
Label Distribution Protocol (LDP) Standards based label distribution protocol defined in RFC 3036 Tag Distribution Protocol (TDP) Cisco's proprietary predecessor to LDP Label Switching Router (LSR) Any router capable of label switching Label-Switched Path (LSP) The unidirectional path through one or more LSRs taken by a label switched packet belonging to an FEC Forwarding Equivalence Class (FEC) A group of packets which are forwarded in an identical manner Label Information Base (LIB) Contains all labels known by an LSR via a label distribution protocol Forwarding Information Base database for unlabeled (IP) packets (FIB) Routing
Label FIB (LFIB) Routing database for labeled packets Customer (C) IP-only routers internal to customer network Customer Edge (CE) C routers which face PE routers Provider Edge (PE) LSRs which form the MPLS-IP boundary Provider (P) MPLS-only LSRs in provider network Interim Packet Propagation An LSR temporarily performs IP routing while waiting to learn the necessary MPLS labels Penultimate Hop Popping (PHP) The second-to-last LSR in an LSP removes the MPLS label so the last LSR only has to perform an IP lookup
MPLS Configuration
! ** Enable CEF ** ip cef ! ! ** Select label protocol ** mpls label protocol ldp ! ! ** Enable MPLS on IP interfaces ** interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.252 mpls ip ! ** Raise MPLS MTU to accomodate multilabel stack ** mpls mtu 1512
Troubleshooting show mpls interfaces show mpls ldp neighbors show mpls ldp bindings [detail] (LIB) show mpls forwarding-table [detail] (LFIB) show ip cef [detail] (FIB) debug mpls events debug mpls ldp bindings v1.0
by Jeremy Stretch
IEEE 802.1X
802.1X Header Terminology
packetlife.net
Extensible Authentication Protocol (EAP) A flexible authentication framework defined in RFC 3748
EAP Header
EAP Over LANs (EAPOL) The encapsulation used by 802.1X to carry EAP across a layer two segment Supplicant The device on one end of a link that requests authentication by the authenticator
Authenticator The device that controls the status of a link; typically a wired switch or wireless access point Authentication Server A backend server which authenticates the credentials provided by supplicants (for example, a RADIUS server) Guest VLAN Fallback VLAN for clients not 802.1X-capable Restricted VLAN Fallback VLAN for clients which fail authentication
802.1X Packet Types 0 EAP Packet 1 EAPOL-Start 2 EAPOL-Logoff 3 EAPOL-Key 4 EAPOL-Encap-ASF-Alert Interface Defaults Max Auth Requests 2 Reauthentication Off Configuration
Global Configuration ! Define a RADIUS server radius-server host 10.0.0.100 radius-server key MyRadiusKey ! Configure 802.1X to authenticate via AAA aaa new-model aaa authentication dot1x default group radius ! Enable 802.1X authentication globally dot1x system-auth-control Interface Configuration ! Configure static access mode switchport mode access ! Enable 802.1X authentication per port dot1x port-control auto ! Configure host mode (single or multi) dot1x host-mode single-host ! Configure maximum authentication attempts dot1x max-reauth-req ! Enable periodic reauthentication dot1x reauthentication ! Configure a guest VLAN dot1x guest-vlan 123 ! Configure a restricted VLAN dot1x auth-fail vlan 456 dot1x auth-fail max-attempts 3
EAP Codes 1 Request 2 Response 3 Success 4 Failure EAP Req/Resp Types 1 Identity 2 Notification 3 Nak 4 MD5 Challenge 5 One Time Password 6 Generic Token Card 254 Expanded Types 255 Experimental
Quiet Period 60s Reauth Period 3600s Server Timeout 30s Supplicant Timeout 30s Tx Period 30s
Port-Control Options
force-authorized Port will always remain in authorized state (default setting) force-unauthorized Port will always remain in unauthorized state, ignoring authentication attempts auto Port is authorized only in the presence of a successfully authenticated supplicant
Troubleshooting show dot1x [interface <interface>] show dot1x statistics interface <interface> dot1x test eapol-capable [interface <interface>] dot1x re-authenticate interface <interface> v1.0
by Jeremy Stretch
QUALITY
OF
SERVICE PART 1
Quality of Service Models
Best Effort No QoS policies are implemented Integrated Services (IntServ) Resource Reservation Protocol (RSVP) is used to reserve bandwidth per flow across all nodes in a path Differentiated Services (DiffServ) Packets are individually classified and marked; policy decisions are made independently at each node in a path
Layer 2 QoS Markings Medium Ethernet Name Class of Service (CoS) Type 3-bit 802.1p field in 802.1Q header 1-bit drop eligibility flag 1-bit drop eligibility flag 3-bit field compatible with 802.1p Precedence Values Binary 7 111 6 110 5 101 4 100 3 011 2 010 1 001 0 000 Application Reserved Routing Voice Streaming Video Call Signaling Transactional Bulk Data Best Effort DSCP Values Binary 56 111000 48 110000 46 101110 32 100000 34 100010 Terminology
Per-Hop Behavior (PHB) The individual QoS action performed at each DiffServ node according to its configured policy Trust Boundary The perimeter beyond which QoS markings are not trusted Tail Drop Occurs when a packet is dropped because its queue is full Policing Creates an artificial ceiling on the amount of bandwidth that may be consumed; traffic exceeding the cap and be remarked or dropped Shaping Similar to policing but buffers excess traffic for delayed transmission; makes more efficient use of bandwidth but introduces a delay TCP Synchronization Flows adjust window sizes in synch, wasting bandwidth
Frame Relay Discard Eligibility (DE) ATM MPLS Cell Loss Priority (CLP) Experimental Field (EXP)
IP QoS Markings
Precedence The first three bits of the IP TOS field are evaluated; compatible with Ethernet CoS and MPLS EXP values DSCP The first six bits of the IP TOS are evaluated to provide more granular classification; backward-compatible with IP Precedence
QoS Flowchart
Prec. 7 6 5
36 100100 38 100110 24 011000 26 011010 28 011100 30 011110 16 010000 18 010010 20 010100 22 010110 8 001000 10 001010 12 001100 14 001110 0 000000
Per-Hop Behaviors
Class Selector (CS) Backwardcompatible with IP Precedence values Assured Forwarding (AF) Four classes with variable drop preferences Expedited Forwarding (EF) Provides priority queuing for delay-sensitive traffic
Congestion Avoidance
Random Early Detection (RED) Packets are randomly dropped before a queue is full to prevent tail drop; mitigates TCP synchronization Weighted RED (WRED) RED with the added capability of recognizing prioritized traffic by its marking
BE v1.2
by Jeremy Stretch
QUALITY
OF
SERVICE PART 2
Queuing Comparison Chart FIFO PQ No 4 Yes Automatic Yes No CQ No Configured Yes Configured No No WFQ <=2 Mbps Dynamic No Automatic No No CBWFQ No
packetlife.net
Default on interfaces >2 Mbps Number of queues 1 Configurable classes No Bandwidth allocation Automatic Provides for minimal delay No Modern implementation Yes First In First Out (FIFO)
Packets are transmitted in the order they are processed No prioritization is provided Default queuing method on highspeed (>2 Mbps) interfaces Configurable with the tx-ring-limit interface configuration command
Provides four static queues which cannot be reconfigured Higher-priority queues are always emptied before lower-priority queues Lower-priority queues are at risk of bandwidth starvation
using
Queues are dynamically created per flow to ensure fair processing Statistically drops packets agressive flows more often from
A configurable number of bytes is processed from each queue per turn Prevents queue starvation but does not support delay-sensitive traffic
Troubleshooting
Provides the benefits of WFQ with administratively configured queues Each queue is allocated an amount or percentage of bandwidth No support for delay-sensitive traffic CBWFQ with the addition of a policed strict priority queue Highly configurable while supporting delay-sensitive traffic still
show policy-map show interface show queue <interface> show mls qos v1.2
by Jeremy Stretch
IP ACCESS LISTS
Standard IP ACL Syntax
! Legacy syntax access-list <number> {permit | deny} <source> [log] ! Modern syntax ip access-list standard {<number> | <name>} [<sequence>] {permit | deny} <source> [log]
packetlife.net Actions permit deny remark evaluate Allow matched packets Deny matched packets Record a config comment Evaluate a reflexive ACL
ACL Numbers 1-99 IP standard 1300-1999 100-199 IP extended 2000-2699 200-299 Protocol 300-399 DECnet 400-499 XNS 500-599 Extended XNS 600-699 Appletalk 700-799 Ethernet MAC 800-899 IPX standard 900-999 IPX extended 1000-1099 IPX SAP 1100-1199 MAC extended 1200-1299 IPX summary TCP Options ack fin psh rst syn urg Match ACK flag Match FIN flag Match PSH flag Match RST flag Match SYN flag Match URG flag reflect <name> eq <port> lt <port> dscp <DSCP> fragments option <option> any host <address>
Source/Destination Definitions Any address A single address Any address matched by the wildcard mask IP Options Match packets with the given DSCP value Check non-initial fragments Match packets with the specified IP option Match packets with the given precedence value Match packets with the given Time To Live TCP/UDP Port Definitions Equal to Less than neq <port> gt <port> Not equal to Greater than
<network> <mask>
Create a reflexive ACL Enable rule only during the specified time range
time-range <name>
Troubleshooting show access-lists {<number> | <name>} show ip access-lists {<number> | <name>} show ip access-lists interface <interface> show ip access-lists dynamic show ip interface [<interface>] show time-range [<name>] v1.1
established Match packets in a preestablished session Logging Options log Log ACL entry matches
log-input Log matches with ingress interface and source MAC by Jeremy Stretch
IPSEC
Protocols
Internet Security Association and Key Management Protocol (ISAKMP) A framework for the negotiation and management of security associations between peers; traverses UDP port 500 Internet Key Exchange (IKE) Responsible for key agreement using public key cryptography Encapsulating Security Payload (ESP) Provides data encryption, data integrity, and peer authentication; IP protocol 50 Authentication Header (AH) Provides data integrity and peer authentication, but not data encryption; IP protocol 51
packetlife.net Encryption Algorithms Type DES Symmetric 3DES Symmetric AES Symmetric Key 56-bit 168-bit Strength Weak Medium
RSA Asymmetric 1024-bit minimum Hashing Algorithms Length MD5 128-bit SHA-1 160-bit
IPsec Modes
IKE Phases
Phase 1 A bidirectional ISAKMP SA is established between peers to provide a secure management channel; IKE is performed in main mode or agressive mode Transport Mode The ESP or AH header is inserted behind the IP header; the IP header can be authenticated but not encrypted Tunnel Mode A new IP header is created in place of the original; this allows for encryption of the entire original packet Phase 1.5 (optional) Xauth can optionally be implemented to enforce user authentication Phase 2 Two unidirectional IPsec SAs are established for data transfer using separate keys; IKE quick mode is used
Configuration
ISAKMP Policy crypto isakmp policy 10 encryption aes 256 hash sha authentication pre-share group 2 lifetime 3600 ISAKMP Pre-Shared Secret Key crypto isakmp key 0 MySecretKey address 10.0.0.2 IPsec Transform Set crypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmac mode tunnel IPsec Profile crypto ipsec profile MyProfile set transform-set MyTS Virtual Tunnel Interface interface Tunnel0 ip address 172.16.0.1 255.255.255.252 tunnel source 10.0.0.1 tunnel destination 10.0.0.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile MyProfile
Terminology
Data Integrity Secure hashing (HMAC) is used to ensure data has not been altered in transit Data Confidentiality Encryption is used to ensure data cannot be intercepted by a third party Data Origin Authentication Peer authentication Anti-replay Sequence numbers are used to detect and block duplicate packets Hash-based Message Authentication Code (HMAC) A hash of the data and secret key used to provide message authenticity Diffie-Hellman A method of establishing a shared secret key over an insecure path using public and private keys
Troubleshooting show crypto isakmp sa show crypto isakmp policy show crypto ipsec sa show crypto ipsec transform-set debug crypto isakmp debug crypto ipsec
by Jeremy Stretch
v1.1
TCPDUMP
Command Line Options -A Print frame payload in ASCII -q Quick output
packetlife.net
-c <count> Exit after capturing count packets -D -e -F <file> -G <n> List available interfaces Print link-level headers in the capture dump Use file as the filter expression Rotate the dump file every n seconds
-r <file> Read packets from file -s <len> -S -t -v[v[v]] Capture up to len bytes per packet Print absolute TCP sequence numbers Don't print timestamps Print more verbose output
-i <iface> Specifies the capture interface -K -L -n -p Don't verify TCP checksums List data link types for the interface Don't convert addresses to names Don't capture in promiscuous mode
-w <file> Write captured packets to file -x -X Print frame payload in hex Print frame payload in hex and ASCII
-y <type> Specify the data link type -Z <user> Drop privileges from root to user
Capture Filter Primitives [src|dst] host <host> ether [src|dst] host <ehost> gateway host <host> [src|dst] net <network>/<len> [tcp|udp] [src|dst] port <port> [tcp|udp] [src|dst] portrange <p1>-<p2> less <length> greater <length> (ether|ip|ip6) proto <protocol> (ether|ip) broadcast (ether|ip|ip6) multicast type (mgt|ctl|data) [subtype <subtype>] vlan [<vlan>] mpls [<label>] <expr> <relop> <expr> Protocols arp ether fddi icmp ip ip6 link ppp radio rarp TCP Flags tcp-urg tcp-ack tcp-push tcp-rst tcp-syn tcp-fin slip tcp tr udp wlan icmp-echoreply icmp-unreach icmp-sourcequench icmp-redirect icmp-echo Modifiers ! or not && or and || or or udp dst port not 53 Matches a host as the IP source, destination, or either Matches a host as the Ethernet source, destination, or either Matches packets which used host as a gateway Matches packets to or from an endpoint residing in network Matches TCP or UDP packets sent to/from port Matches TCP or UDP packets to/from a port in the given range Matches packets less than or equal to length Matches packets greater than or equal to length Matches an Ethernet, IPv4, or IPv6 protocol Matches Ethernet or IPv4 broadcasts Matches Ethernet, IPv4, or IPv6 multicasts Matches 802.11 frames based on type and optional subtype Matches 802.1Q frames, optionally with a VLAN ID of vlan Matches MPLS packets, optionally with a label of label Matches packets by an arbitrary expression Examples All UDP not bound for port 53
host 10.0.0.1 && host 10.0.0.2 All packets between these hosts tcp dst port 80 or 8080 ICMP Types icmp-routeradvert icmp-routersolicit icmp-timxceed icmp-paramprob icmp-tstamp icmp-tstampreply icmp-ireq icmp-ireqreply icmp-maskreq icmp-maskreply v1.0 All packets to either TCP port
by Jeremy Stretch
packetlife.net ARP
arp.proto.size arp.proto.type arp.src.hw_mac arp.src.proto_ipv4
IEEE 802.1Q
vlan.cfi vlan.etype vlan.id vlan.len vlan.priority vlan.trailer
TCP
tcp.ack tcp.checksum tcp.checksum_bad tcp.checksum_good tcp.continuation_to tcp.dstport tcp.flags tcp.flags.ack tcp.flags.cwr tcp.flags.ecn tcp.flags.fin tcp.flags.push tcp.flags.reset tcp.flags.syn tcp.flags.urg tcp.hdr_len tcp.len tcp.nxtseq tcp.options tcp.options.cc tcp.options.ccecho tcp.options.ccnew tcp.options.qs tcp.options.sack tcp.options.sack_le tcp.options.sack_perm tcp.options.sack_re tcp.options.time_stamp tcp.options.wscale tcp.options.wscale_val tcp.pdu.last_frame tcp.pdu.size tcp.pdu.time tcp.port tcp.reassembled_in tcp.segment tcp.segment.error tcp.segment.multipletails tcp.segment.overlap tcp.segment.overlap.conflict tcp.segment.toolongfragment tcp.segments tcp.seq tcp.srcport tcp.time_delta tcp.time_relative tcp.urgent_pointer tcp.window_size
IPv4
ip.addr ip.checksum ip.checksum_bad ip.checksum_good ip.dsfield ip.dsfield.ce ip.dsfield.dscp ip.dsfield.ect ip.dst ip.dst_host ip.flags ip.flags.df ip.flags.mf ip.flags.rb ip.frag_offset ip.fragment ip.fragment.error ip.fragment.multipletails ip.fragment.overlap ip.fragment.overlap.conflict ip.fragment.toolongfragment ip.fragments ip.hdr_len ip.host ip.id ip.len ip.proto ip.reassembled_in ip.src ip.src_host ip.tos ip.tos.cost ip.tos.delay ip.tos.precedence ip.tos.reliability ip.tos.throughput ip.ttl ip.version
IPv6
ipv6.addr ipv6.class ipv6.dst ipv6.dst_host ipv6.dst_opt ipv6.flow ipv6.fragment ipv6.fragment.error ipv6.fragment.more ipv6.fragment.multipletails ipv6.fragment.offset ipv6.fragment.overlap ipv6.fragment.overlap.conflict ipv6.fragment.toolongfragment ipv6.fragments ipv6.fragment.id ipv6.hlim ipv6.hop_opt ipv6.host ipv6.mipv6_home_address ipv6.mipv6_length ipv6.mipv6_type ipv6.nxt ipv6.opt.pad1 ipv6.opt.padn ipv6.plen ipv6.reassembled_in ipv6.routing_hdr ipv6.routing_hdr.addr ipv6.routing_hdr.left ipv6.routing_hdr.type ipv6.src ipv6.src_host ipv6.version
UDP
udp.checksum udp.checksum_bad udp.checksum_good udp.dstport udp.length udp.port udp.srcport
Operators
eq ne gt lt ge le == != > < >= <= not [n] ! [...] and or xor && || ^^
Logic
Logical AND Logical OR Logical XOR Logical NOT Substring operator
by Jeremy Stretch
v1.0
packetlife.net ICMPv6
icmpv6.option.name_type icmpv6.option.name_type.fqdn icmpv6.option.name_x501 icmpv6.option.rsa.key_hash icmpv6.option.type icmpv6.ra.cur_hop_limit icmpv6.ra.reachable_time icmpv6.ra.retrans_timer icmpv6.ra.router_lifetime icmpv6.recursive_dns_serv icmpv6.type
RIP
rip.route_tag rip.routing_domain rip.version
PPP
ppp.address ppp.control ppp.direction ppp.protocol
MPLS
mpls.bottom mpls.cw.control mpls.cw.res mpls.exp mpls.label mpls.oam.bip16 mpls.oam.defect_location mpls.oam.defect_type mpls.oam.frequency mpls.oam.function_type mpls.oam.ttsi mpls.ttl bgp.aggregator_as bgp.aggregator_origin bgp.as_path bgp.cluster_identifier bgp.cluster_list bgp.community_as bgp.community_value icmp.seq icmp.type bgp.local_pref bgp.mp_nlri_tnl_id
BGP
bgp.mp_reach_nlri_ipv4_prefix bgp.mp_unreach_nlri_ipv4_prefix bgp.multi_exit_disc bgp.next_hop bgp.nlri_prefix bgp.origin bgp.originator_id bgp.type bgp.withdrawn_prefix
ICMP
icmp.checksum icmp.checksum_bad icmp.code icmp.ident icmp.mtu icmp.redir_gw
HTTP
http.accept http.proxy_authorization http.proxy_connect_host http.proxy_connect_port http.referer http.request http.request.method http.request.uri http.request.version http.response http.response.code http.server http.set_cookie http.transfer_encoding http.user_agent http.www_authenticate http.x_forwarded_for http.accept_encoding http.accept_language http.authbasic http.authorization http.cache_control http.connection http.content_encoding http.content_length http.content_type http.cookie http.date http.host http.last_modified http.location http.notification http.proxy_authenticate
DTP
dtp.neighbor dtp.tlv_len dtp.tlv_type dtp.version vtp.neighbor
VTP
vtp.code vtp.conf_rev_num vtp.followers vtp.md vtp.md5_digest vtp.md_len vtp.seq_num vtp.start_value vtp.upd_id vtp.upd_ts vtp.version vtp.vlan_info.802_10_index vtp.vlan_info.isl_vlan_id vtp.vlan_info.len vtp.vlan_info.mtu_size vtp.vlan_info.status.vlan_susp vtp.vlan_info.tlv_len vtp.vlan_info.tlv_type vtp.vlan_info.vlan_name vtp.vlan_info.vlan_name_len vtp.vlan_info.vlan_type
by Jeremy Stretch
v1.0