tcpdump mailing list archives
Re: tcpdump filter for active probing
From: Guy Harris <guy () alum mit edu>
Date: Thu, 16 Mar 2006 17:03:38 -0800
On Mar 16, 2006, at 3:32 PM, J S wrote:
I am trying to setup active tcp probing b/w two nodes, however I am facing difficulty in setting up tcpdump filter. I would like to capture the tcpdata packets which I am generating. when I use this filter 'tcpdump src host SRC and dst host DST and tcp [tcpflags]=0' the filter didn't capture any packets. so how do I capture data packets and ignore tcp flag packets.
What's a "flag packet"?If a "flag packet" is the opposite of a "data packet" - i.e., a packet cannot both be a "flag packet" and a "data packet" - then, as a "data packet" is presumably a TCP packet with a non-zero amount of payload, a "flag packet" would be a TCP packet whose length, at the TCP layer, is the same as the length of the TCP header.
If, however, a "flag packet" is a packet whose TCP flag field is non- zero, then a packet can be both a "flag packet" and a "data packet" - and, in fact, *ALL* TCP packets are flag packets; RFC 793 says
Acknowledgment Number: 32 bits
If the ACK control bit is set this field contains the value of the
next sequence number the sender of the segment is expecting to
receive. Once a connection is established this is always sent.
so the ACK flag is set in *ALL* TCP packets once the connection has
been established (i.e, once the connecting machine ACKs the connected-
to machine's SYN+ACK), and the only packets that can be sent before
the connection has been established are either SYN, SYN+ACK, or ACK
packets, so they are flag packets, too. I.e., *all* TCP packets are
flag packets.
http://www.tcpdump.org/lists/workers/2005/11/msg00027.html
shows how to construct a filter that captures only TCP packets with
data in them. If it's not available, try the Google cache
http://72.14.203.104/search?q=cache:Gp-__401cXYJ:www.tcpdump.org/ lists/workers/2005/11/msg00027.html+%22guy+harris%22+tcp+ip+length +filter+ack&hl=en&gl=us&ct=clnk&cd=1&client=safari
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- tcpdump filter for active probing J S (Mar 16)
- Re: tcpdump filter for active probing Guy Harris (Mar 16)
- Re: tcpdump filter for active probing J S (Mar 17)
- Re: tcpdump filter for active probing Guy Harris (Mar 16)