Julia EvansMar 9

worked with the tcpdump folks on an updated set of examples for the tcpdump man page https://www.tcpdump.org/manpages/tcpdump.1.html#lbAF

the idea is that if you've forgotten how tcpdump's basic flags work, you can find a quick reference in the man page!

tcpdump(1) man page | TCPDUMP & LIBPCAP

Show threadchoombaMar 9

@b0rk or others, is there a page that explains a filter like this: tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)

I have no idea what is going on here. This is from the pcap filter man page. Why the masking and shifting and what is up with ip[2:2]? This part of tcpdump has remained a mystery to me for decades.

Show threadoriMar 10
Checking Wikipedia https://en.wikipedia.org/wiki/IPv4#Header and
https://en.wikipedia.org/wiki/Transmission_Control_Protocol

  • ip[2:2] is the size of the IP packet.
  • ((ip[0]&0xf)<<2)) is the size of the IP header
  • ((tcp[12]&0xf0)>>2) is the start of data in the tcp packets
So, this is filtering for tcp packets that have data (is, the TCP data offset is not equal to the end of the IP packet). This is a good example of inspecting packets directly, but definitely needs some additional explanation. Examples should probably not assume a fresh understanding of the protocol header structure.

CC: @[email protected]
IPv4 - Wikipedia

Show threadchoomba
@ori @b0rk Small correction. The last one is the size of the TCP header, encoded in the high nibble of byte 12. I dove into this last night and finally understood it. It takes the full length of the IP packet (which wraps the TCP packet) and subtracts the IP and TCP header lengths. If the result is zero, we have a packet without data.
Mar 10 at 5:31amWeb