Please change the network filter to reflect your own network. This filter is independent of the specific worm instead it looks for SYN packets originating from a local network on those specific ports. Many worms try to spread by contacting other hosts on ports 135, 445, or 1433. It is the signature of the welchia worm just before it tries to compromise a system.
The filter looks for an icmp echo request that is 92 bytes long and has an icmp payload that begins with 4 bytes of A's (hex). Welchia worm: icmp=icmp-echo and ip=92 and icmp=0xAAAAAAAA ones that describe or show the actual payload?)īlaster worm: dst port 135 and tcp port 135 and ip=48
port 80 and tcp & 0xf0) > 2):4] = 0x47455420īlaster and Welchia are RPC worms. From Jefferson Ogata via the tcpdump-workers mailing list. Or dst net 192.168.0.0 mask 255.255.255.0Ĭapture only DNS (port 53) traffic: port 53Ĭapture non-HTTP and non-SMTP traffic on your server (both are equivalent): host and not (port 80 or port 25)Ĭapture except all ARP and DNS traffic: port not 53 and not arpĬapture traffic within a range of ports (tcp > 1500 and tcp 1500 and tcp > 2" figures out the TCP header length. The display filter can be changed above the packet list as can be seen in this picture:Ĭapture only traffic to or from IP address 172.18.5.4: host 172.18.5.4Ĭapture traffic to or from a range of IP addresses: net 192.168.0.0/24Ĭapture traffic from a range of IP addresses: src net 192.168.0.0/24 In the main window, one can find the capture filter just above the interfaces list and in the interfaces dialog. Display filters on the other hand do not have this limitation and you can change them on the fly. The latter are used to hide some packets from the packet list.Ĭapture filters are set before starting a packet capture and cannot be modified during the capture. The former are much more limited and are used to reduce the size of a raw packet capture. Capture filters (like tcp port 80) are not to be confused with display filters (like tcp.port = 80).
0 kommentar(er)
