This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP protocol filter

0

In order to capture the start and end packets (the SYN and FIN packets) of each TCP conversation, the following TCP filter is applied - tcp[tcpflags] & (tcp-syn|tcp-fin) = 1 .

Hopefully the above is in fact correct.

What is the purpose of the [tcpflags] in the filter ? Is it simply part of the syntax and thus a must-have whenever a filter concerning tcp flags are used ?

asked 26 Mar '13, 03:22

Dinged's gravatar image

Dinged
367711
accept rate: 0%


One Answer:

4

The "tcpflags" in tcp[tcpflags] is just a static offset into the tcp header structure. It points to the 13th octet, which contains the TCP flags.

When you compare against two flags, you can't use "= x" in your filter, as you do not know which of the flags will match. You can however use "!= 0" (not equal) to test whether any of them were set. So your filter will be:

tcp[tcpflags] & (tcp-syn|tcp-fin) != 0

Or without using the symbolic names:

tcp[13] & 3 != 0

answered 26 Mar '13, 04:10

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Oh thanks for the clarification regarding the use of ! and != . Which flag does the '3' represent ? I tried googling, but there's no information on which bit represent which TCP flag..

(26 Mar '13, 05:26) Dinged
2

The 3 is an logical or of the first two bits which represent tcp-syn and tcp-fin. So your "(tcp-syn|tcp-fin)" actually means "(2|1)" and this results in "3".

(for the TCP flags, see http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure)

(26 Mar '13, 05:42) SYN-bit ♦♦

Oh the bits are counted backwards from FIN ? I was counting from NS. Thanks alot. But in one example I found in a book, tcp[13] & 8 == 8 represents packets with PSH flags. Shouldn't it be tcp[13] & 4 == 4 ?

(26 Mar '13, 05:56) Dinged
2

Yes, bits are counted from the least significant bit (LSB), so the book is correct:

  • FIN is the 0th bit, so its value is 2^0=1
  • SYN is the 1st bit, so its value is 2^1=2
  • RST is the 2nd bit, so its value is 2^2=4
  • PSH is the 3rd bit, so its value is 2^3=8

etc.

(26 Mar '13, 12:03) SYN-bit ♦♦

^ Thanks for the clear explanation. My knowledge of bits is sadly lacking. Kudos.

(26 Mar '13, 18:48) Dinged