1

I'm collecting pcap data on servers, and I'd like to only collect packets corresponding to inbound connections. Note that I am not looking to filter to inbound packets, but remove both outbound and inbound packets that correspond to conversations initiated by the host. Traffic spans a variety of ports, including those often used for outbound traffic, so restricting by port range is not acceptable.

I can think of a few ways to fix this, none of which are ideal:

  • Restrict outbound connections to a very small range of ports and ignore those entirely. I'd like to collect incoming traffic regardless of port, so this is not great.
  • Assign a second IP to the host and route incoming/outgoing connections over separate IPs. This will complicate configuration.

I'm currently using tcpdump port not 22 to capture everything but inbound ssh. Ideally I'd like to filter outbound conversations at record time, but it would also be acceptable to filter the pcaps later. Is there a succinct way to achieve this using either tcpdump or tshark?

Eric Pauley
  • 633

1 Answers1

0

While I haven't found a way to do this in tshark/tcpdump, the following rules in Snort can be used to do this filtering on TCP connections:

log tcp any any -> $HOME_NET any (flow:to_server;sid:1000001;)
log tcp $HOME_NET any -> any any (flow:to_client;sid:1000002;)

You can also use Snort's tagging to accomplish something similar, but the max session duration must be limited in bytes,seconds,or packets:

log tcp any any -> $HOME_NET any (flags:S;tag:session,0,packets,1000000,bytes;sid:1000000;)
Eric Pauley
  • 633