tcpdump mailing list archives
Re: tcpdump filter for active probing
From: "J S" <geekreader () gmail com>
Date: Fri, 17 Mar 2006 09:54:59 -0500
Thanks! It worked.. another question.. In my experiment, both the nodes are sending probes to each other. If I would like to distinguish between the packets send by the two nodes at each end, one simple but probably not an efficient way is to run two seperate pcap filters at each node and capture them seperately. But I was wondering, if it is possible to differentiate the packets (by sender ) by examining pcap header or any other mechanism provided by the library as I would like to use one filter at each end. Thanks again J S On 3/16/06, Guy Harris <guy () alum mit edu> wrote:
On Mar 16, 2006, at 3:32 PM, J S wrote:I am trying to setup active tcp probing b/w two nodes, however I am facing difficulty in setting up tcpdump filter. I would like to capture the tcp data packets which I am generating. when I use this filter 'tcpdump src host SRC and dst host DST and tcp [tcpflags]=0' the filter didn't capture any packets. so how do I capture data packets and ignore tcp flag packets.What's a "flag packet"? If a "flag packet" is the opposite of a "data packet" - i.e., a packet cannot both be a "flag packet" and a "data packet" - then, as a "data packet" is presumably a TCP packet with a non-zero amount of payload, a "flag packet" would be a TCP packet whose length, at the TCP layer, is the same as the length of the TCP header. If, however, a "flag packet" is a packet whose TCP flag field is non- zero, then a packet can be both a "flag packet" and a "data packet" - and, in fact, *ALL* TCP packets are flag packets; RFC 793 says Acknowledgment Number: 32 bits If the ACK control bit is set this field contains the value of the next sequence number the sender of the segment is expecting to receive. Once a connection is established this is always sent. so the ACK flag is set in *ALL* TCP packets once the connection has been established (i.e, once the connecting machine ACKs the connected- to machine's SYN+ACK), and the only packets that can be sent before the connection has been established are either SYN, SYN+ACK, or ACK packets, so they are flag packets, too. I.e., *all* TCP packets are flag packets. http://www.tcpdump.org/lists/workers/2005/11/msg00027.html shows how to construct a filter that captures only TCP packets with data in them. If it's not available, try the Google cache http://72.14.203.104/search?q=cache:Gp-__401cXYJ:www.tcpdump.org/ lists/workers/2005/11/msg00027.html+%22guy+harris%22+tcp+ip+length +filter+ack&hl=en&gl=us&ct=clnk&cd=1&client=safari - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- tcpdump filter for active probing J S (Mar 16)
- Re: tcpdump filter for active probing Guy Harris (Mar 16)
- Re: tcpdump filter for active probing J S (Mar 17)
- Re: tcpdump filter for active probing Guy Harris (Mar 16)