OSQA is unmaintained. Help us figure out where to go from here.

In order to capture the start and end packets (the SYN and FIN packets) of each TCP conversation, the following TCP filter is applied - tcp[tcpflags] & (tcp-syn|tcp-fin) = 1 .

Hopefully the above is in fact correct.

What is the purpose of the [tcpflags] in the filter ? Is it simply part of the syntax and thus a must-have whenever a filter concerning tcp flags are used ?

asked 26 Mar '13, 03:22

Dinged's gravatar image

Dinged
367711
accept rate: 0%


The "tcpflags" in tcp[tcpflags] is just a static offset into the tcp header structure. It points to the 13th octet, which contains the TCP flags.

When you compare against two flags, you can't use "= x" in your filter, as you do not know which of the flags will match. You can however use "!= 0" (not equal) to test whether any of them were set. So your filter will be:

tcp[tcpflags] & (tcp-syn|tcp-fin) != 0

Or without using the symbolic names:

tcp[13] & 3 != 0
permanent link

answered 26 Mar '13, 04:10

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Oh thanks for the clarification regarding the use of ! and != . Which flag does the '3' represent ? I tried googling, but there's no information on which bit represent which TCP flag..

(26 Mar '13, 05:26) Dinged
2

The 3 is an logical or of the first two bits which represent tcp-syn and tcp-fin. So your "(tcp-syn|tcp-fin)" actually means "(2|1)" and this results in "3".

(for the TCP flags, see http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure)

(26 Mar '13, 05:42) SYN-bit ♦♦

Oh the bits are counted backwards from FIN ? I was counting from NS. Thanks alot. But in one example I found in a book, tcp[13] & 8 == 8 represents packets with PSH flags. Shouldn't it be tcp[13] & 4 == 4 ?

(26 Mar '13, 05:56) Dinged
2

Yes, bits are counted from the least significant bit (LSB), so the book is correct:

  • FIN is the 0th bit, so its value is 2^0=1
  • SYN is the 1st bit, so its value is 2^1=2
  • RST is the 2nd bit, so its value is 2^2=4
  • PSH is the 3rd bit, so its value is 2^3=8

etc.

(26 Mar '13, 12:03) SYN-bit ♦♦

^ Thanks for the clear explanation. My knowledge of bits is sadly lacking. Kudos.

(26 Mar '13, 18:48) Dinged
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×749
×183
×12
×8

question asked: 26 Mar '13, 03:22

question was seen: 3,015 times

last updated: 26 Mar '13, 20:34

p​o​w​e​r​e​d by O​S​Q​A