Re: tcpdump filter for active probing

["J S" <geekreader () gmail com>]

Thanks! It worked..

another question..

In my experiment, both the nodes are sending probes to each other. If I
would like to distinguish between
the packets send by the two nodes at each end,
one simple but probably not an efficient way is to run two seperate pcap
filters at each node and capture them seperately.
But I was wondering, if it is possible to differentiate the packets (by
sender ) by examining pcap header or any other mechanism provided by the
library as I would like to use one filter at each end.

Thanks again

J S

On 3/16/06, Guy Harris <guy () alum mit edu> wrote:
> On Mar 16, 2006, at 3:32 PM, J S wrote:
>
> > I am trying to setup active tcp probing b/w two nodes, however I am
> > facing
> > difficulty in setting up tcpdump filter. I would like to capture
> > the tcp
> > data packets which I am generating.
> > when I use this filter
> > 'tcpdump src host SRC and  dst host DST and  tcp [tcpflags]=0'
> >  the filter didn't capture any packets.
> >
> > so how do I capture data packets and ignore tcp flag packets.
>
> What's a "flag packet"?
>
> If a "flag packet" is the opposite of a "data packet" - i.e., a
> packet cannot both be a "flag packet" and a "data packet" - then, as
> a "data packet" is presumably a TCP packet with a non-zero amount of
> payload, a "flag packet" would be a TCP packet whose length, at the
> TCP layer, is the same as the length of the TCP header.
>
> If, however, a "flag packet" is a packet whose TCP flag field is non-
> zero, then a packet can be both a "flag packet" and a "data packet" -
> and, in fact, *ALL* TCP packets are flag packets; RFC 793 says
>
>    Acknowledgment Number:  32 bits
>
>      If the ACK control bit is set this field contains the value of the
>      next sequence number the sender of the segment is expecting to
>      receive.  Once a connection is established this is always sent.
>
> so the ACK flag is set in *ALL* TCP packets once the connection has
> been established (i.e, once the connecting machine ACKs the connected-
> to machine's SYN+ACK), and the only packets that can be sent before
> the connection has been established are either SYN, SYN+ACK, or ACK
> packets, so they are flag packets, too.  I.e., *all* TCP packets are
> flag packets.
>
>         http://www.tcpdump.org/lists/workers/2005/11/msg00027.html
>
> shows how to construct a filter that captures only TCP packets with
> data in them.  If it's not available, try the Google cache
>
>         http://72.14.203.104/search?q=cache:Gp-__401cXYJ:www.tcpdump.org/
> lists/workers/2005/11/msg00027.html+%22guy+harris%22+tcp+ip+length
> +filter+ack&hl=en&gl=us&ct=clnk&cd=1&client=safari
> -
> This is the tcpdump-workers list.
> Visit https://lists.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.