In order to capture the start and end packets (the SYN and FIN packets) of each TCP conversation, the following TCP filter is applied - tcp[tcpflags] & (tcp-syn|tcp-fin) = 1 .

Hopefully the above is in fact correct.

What is the purpose of the [tcpflags] in the filter ? Is it simply part of the syntax and thus a must-have whenever a filter concerning tcp flags are used ?

asked 26 Mar '13, 03:22

Dinged's gravatar image

Dinged
31559
accept rate: 0%


The "tcpflags" in tcp[tcpflags] is just a static offset into the tcp header structure. It points to the 13th octet, which contains the TCP flags.

When you compare against two flags, you can't use "= x" in your filter, as you do not know which of the flags will match. You can however use "!= 0" (not equal) to test whether any of them were set. So your filter will be:

tcp[tcpflags] & (tcp-syn|tcp-fin) != 0

Or without using the symbolic names:

tcp[13] & 3 != 0
link

answered 26 Mar '13, 04:10

SYN-bit's gravatar image

SYN-bit ♦♦
15.0k848217
accept rate: 19%

Oh thanks for the clarification regarding the use of ! and != . Which flag does the '3' represent ? I tried googling, but there's no information on which bit represent which TCP flag..

(26 Mar '13, 05:26) Dinged
2

The 3 is an logical or of the first two bits which represent tcp-syn and tcp-fin. So your "(tcp-syn|tcp-fin)" actually means "(2|1)" and this results in "3".

(for the TCP flags, see http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure)

(26 Mar '13, 05:42) SYN-bit ♦♦

Oh the bits are counted backwards from FIN ? I was counting from NS. Thanks alot. But in one example I found in a book, tcp[13] & 8 == 8 represents packets with PSH flags. Shouldn't it be tcp[13] & 4 == 4 ?

(26 Mar '13, 05:56) Dinged
2

Yes, bits are counted from the least significant bit (LSB), so the book is correct:

  • FIN is the 0th bit, so its value is 2^0=1
  • SYN is the 1st bit, so its value is 2^1=2
  • RST is the 2nd bit, so its value is 2^2=4
  • PSH is the 3rd bit, so its value is 2^3=8

etc.

(26 Mar '13, 12:03) SYN-bit ♦♦

^ Thanks for the clear explanation. My knowledge of bits is sadly lacking. Kudos.

(26 Mar '13, 18:48) Dinged
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×355
×96
×5
×2

Asked: 26 Mar '13, 03:22

Seen: 592 times

Last updated: 26 Mar '13, 20:34

powered by OSQA