tcpdump mailing list archives

tcpdump output clarification

From: Michael Downey <miked315 () gmail com>
Date: Mon, 22 Oct 2012 16:36:48 -0500

I am having trouble fully understanding what exactly a '.' stands for when
following another flag in the tcpdump output, for example [S.] The reason
why I am having trouble with this, is due to separate versions of the man
page explaining this differently. While researching this, I've came across
many forums where others have the same question.

Here's an excerpt from the tcpdump man page on OSX 10.7:

"The general format of a tcp protocol line is:
              src > dst: flags data-seqno ack window urgent options
       Src  and  dst  are  the  source  and  destination  IP addresses and
ports.  Flags are some combination of S (SYN), F (FIN), P (PUSH), R (RST),
W (ECN CWR) or E (ECN-Echo), or a single `.' (no flags).  Data-seqno
describes the portion of
       sequence space covered by the data in this packet (see example
below).  Ack is sequence number of the next data expected the other
direction on this connection.  Window is the number of bytes of receive
buffer space available the  other
       direction on this connection.  Urg indicates there is `urgent' data
in the packet.  Options are tcp options enclosed in angle brackets (e.g.,
<mss 1024>).
"
^ ACK and URG flags are not mentioned. I assumed from this output the a
following '.' as with [S.] would represent a flag that is not S, F, P, R,
W, or E, meaning that this flag would either be ACK or URG.


Now, here's an excerpt from the tcpdump man page on Ubuntu 12.04 LTS:

"The general format of a tcp protocol line is:
              src > dst: flags data-seqno ack window urgent options
       Src  and  dst  are  the  source and destination IP addresses and
ports.  Flags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), *U
(URG)*, W (ECN CWR), E (ECN-Echo) *or `.' (ACK),* or `none' if no flags are
set.  Data-seqno describes the portion of
       sequence space covered by the data in this packet (see example
below).  Ack is sequence number of the next data expected the other
direction on this connection.  Window is the number of bytes of receive
buffer space available the other  direction  on  this
       connection.  Urg indicates there is `urgent' data in the packet.
 Options are tcp options enclosed in angle brackets (e.g., <mss 1024>).
"


Here, the man page shows URG as an option, and lists '.' as an ACK flag. It
also states that none would be shown if no flags are set (unlike the OSX
10.7 man page showing '.' representing no flags.

On FreeBSD 8 that whole explanation is missing in tcpdump's man page.

If there is anyway I can get a clear explanation on this, that would be
wonderful. Thank you for your time.

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

tcpdump output clarification Michael Downey (Oct 22)
- Re: tcpdump output clarification Guy Harris (Oct 22)