In order to capture the start and end packets (the SYN and FIN packets) of each TCP conversation, the following TCP filter is applied - tcp[tcpflags] & (tcp-syn|tcp-fin) = 1 .
Hopefully the above is in fact correct.
What is the purpose of the [tcpflags] in the filter ? Is it simply part of the syntax and thus a must-have whenever a filter concerning tcp flags are used ?
asked 26 Mar '13, 03:22
The "tcpflags" in tcp[tcpflags] is just a static offset into the tcp header structure. It points to the 13th octet, which contains the TCP flags.
When you compare against two flags, you can't use "= x" in your filter, as you do not know which of the flags will match. You can however use "!= 0" (not equal) to test whether any of them were set. So your filter will be:
Or without using the symbolic names:
answered 26 Mar '13, 04:10