This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

about the filter of all tcp SYN and RST packet

0

Hi, I found a display filter expression "tcp[13]&6" which can filter out all the tcp SYN and RST packet, but I don't understand how does it work. I know the 13 is a offset and "&" is the bit_wise operator, what is the "6"? Why can this expression filter out the result mentioned above?

thank you

asked 18 Nov '13, 20:30

SteveZhou's gravatar image

SteveZhou
191273034
accept rate: 0%

One Answer:

5

The last 3 bits of the TCP flags are

0000 0000 
      ||'---> FIN 
      |'----> SYN 
      '-----> RST

13 is the decimal byte offset of the flags-byte into the TCP header. So a &6 (0000 0110) tests whether SYN or RST bit are set. tcp.flags.syn==1 or tcp.flags.reset==1

answered 18 Nov '13, 21:55

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

edited 19 Nov '13, 01:49

got it, but why tcp[13] rather than any other number?

(19 Nov '13, 00:42) SteveZhou
1

13 is the decimal byte offset of the flags-byte into the TCP header

(19 Nov '13, 01:47) mrEEde

all right, its decimal byte offset. thanks

Another question is, how can I get to know this number quickly? Is there any reference document?

(19 Nov '13, 17:07) SteveZhou

thank you!

(19 Nov '13, 23:41) SteveZhou