This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP flags capture filter

1

With the "Wireshark: Capture Options" dialog, I'm trying to use a custom "Capture Filter"

I want to capture reset packets only (display filter equivalent: tcp.flags.reset ==1)

asked 13 Dec '11, 09:18

Peter_Clark's gravatar image

Peter_Clark
1612
accept rate: 0%


One Answer:

2

On older versions of UN*X, the command man tcpdump will give, among other things, documentation about capture filters; on newer versions, man pcap-filter will give that documentation.

The key part is

   expr relop expr
          True  if the relation holds, where relop is one of >, <, >=, <=,
          =, !=, and expr is an arithmetic expression composed of  integer
          constants  (expressed  in  standard C syntax), the normal binary
          operators [+, -, *, /, &, |, <<, >>],  a  length  operator,  and
          special  packet  data  accessors.  Note that all comparisons are
          unsigned, so that, for example, 0x80000000 and 0xffffffff are  >
          0.  To access data inside the packet, use the following syntax:
               proto [ expr : size ]
          Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp,
          rarp, tcp, udp, icmp, ip6 or radio, and indicates  the  protocol
          layer  for  the  index  operation.  (ether, fddi, wlan, tr, ppp,
          slip and link all refer to the link layer. radio refers  to  the
          "radio  header"  added to some 802.11 captures.)  Note that tcp,
          udp and other upper-layer protocol types only apply to IPv4, not
          IPv6 (this will be fixed in the future).  The byte offset, rela-
          tive to the indicated protocol layer, is given by expr.  Size is
          optional  and  indicates  the  number  of  bytes in the field of
          interest; it can be either one, two, or four,  and  defaults  to
          one.   The  length operator, indicated by the keyword len, gives
          the length of the packet.
      For example, `ether[0] &amp; 1 != 0&#39; catches all multicast  traffic.
      The  expression `ip[0] &amp; 0xf != 5&#39; catches all IPv4 packets with
      options.  The expression `ip[6:2] &amp; 0x1fff  =  0&#39;  catches  only
      unfragmented  IPv4  datagrams  and  frag zero of fragmented IPv4
      datagrams.  This check is implicitly applied to the tcp and  udp
      index  operations.   For instance, tcp[0] always means the first
      byte of the TCP header, and never means the  first  byte  of  an
      intervening fragment.

      Some  offsets  and field values may be expressed as names rather
      than as numeric values.  The  following  protocol  header  field
      offsets  are  available:  icmptype  (ICMP  type field), icmpcode
      (ICMP code field), and tcpflags (TCP flags field).

      The following ICMP type field values are available: icmp-echore-
      ply,  icmp-unreach, icmp-sourcequench, icmp-redirect, icmp-echo,
      icmp-routeradvert,  icmp-routersolicit,   icmp-timxceed,   icmp-
      paramprob,  icmp-tstamp,  icmp-tstampreply, icmp-ireq, icmp-ire-
      qreply, icmp-maskreq, icmp-maskreply.

      The following TCP flags field  values  are  available:  tcp-fin,
      tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.</code></pre><p>In particular, unless Wireshark is using an older version of libpcap/WinPcap, as per the "Some offsets and field values may be expressed as names..." section, filtering for RST packets can be done with <code>tcp[tcpflags] &amp; tcp-rst != 0</code>.</p></div><div class="answer-controls post-controls"></div><div class="post-update-info-container"><div class="post-update-info post-update-info-user"><p>answered <strong>13 Dec '11, 10:40</strong></p><img src="https://secure.gravatar.com/avatar/f93de7000747ab5efb5acd3034b2ebd7?s=32&amp;d=identicon&amp;r=g" class="gravatar" width="32" height="32" alt="Guy%20Harris&#39;s gravatar image" /><p><span>Guy Harris ♦♦</span><br />

17.4k335196
accept rate: 19%