In order to capture the start and end packets (the SYN and FIN packets) of each TCP conversation, the following TCP filter is applied - tcp[tcpflags] & (tcp-syn|tcp-fin) = 1 . Hopefully the above is in fact correct. What is the purpose of the [tcpflags] in the filter ? Is it simply part of the syntax and thus a must-have whenever a filter concerning tcp flags are used ? asked 26 Mar '13, 03:22  Dinged |
One Answer:
The "tcpflags" in tcp[tcpflags] is just a static offset into the tcp header structure. It points to the 13th octet, which contains the TCP flags. When you compare against two flags, you can't use "= x" in your filter, as you do not know which of the flags will match. You can however use "!= 0" (not equal) to test whether any of them were set. So your filter will be: Or without using the symbolic names: answered 26 Mar '13, 04:10  SYN-bit ♦♦ |
Oh thanks for the clarification regarding the use of ! and != . Which flag does the '3' represent ? I tried googling, but there's no information on which bit represent which TCP flag..
The 3 is an logical or of the first two bits which represent tcp-syn and tcp-fin. So your "(tcp-syn|tcp-fin)" actually means "(2|1)" and this results in "3".
(for the TCP flags, see http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure)
Oh the bits are counted backwards from FIN ? I was counting from NS. Thanks alot. But in one example I found in a book, tcp[13] & 8 == 8 represents packets with PSH flags. Shouldn't it be tcp[13] & 4 == 4 ?
Yes, bits are counted from the least significant bit (LSB), so the book is correct:
etc.
^ Thanks for the clear explanation. My knowledge of bits is sadly lacking. Kudos.