On Mar 16, 2006, at 3:32 PM, J S wrote:
I am trying to setup active tcp probing b/w two nodes, however I am
facing
difficulty in setting up tcpdump filter. I would like to capture
the tcp
data packets which I am generating.
when I use this filter
'tcpdump src host SRC and dst host DST and tcp [tcpflags]=0'
the filter didn't capture any packets.
so how do I capture data packets and ignore tcp flag packets.
What's a "flag packet"?
If a "flag packet" is the opposite of a "data packet" - i.e., a
packet cannot both be a "flag packet" and a "data packet" - then, as
a "data packet" is presumably a TCP packet with a non-zero amount of
payload, a "flag packet" would be a TCP packet whose length, at the
TCP layer, is the same as the length of the TCP header.
If, however, a "flag packet" is a packet whose TCP flag field is non-
zero, then a packet can be both a "flag packet" and a "data packet" -
and, in fact, *ALL* TCP packets are flag packets; RFC 793 says
Acknowledgment Number: 32 bits
If the ACK control bit is set this field contains the value of the
next sequence number the sender of the segment is expecting to
receive. Once a connection is established this is always sent.
so the ACK flag is set in *ALL* TCP packets once the connection has
been established (i.e, once the connecting machine ACKs the connected-
to machine's SYN+ACK), and the only packets that can be sent before
the connection has been established are either SYN, SYN+ACK, or ACK
packets, so they are flag packets, too. I.e., *all* TCP packets are
flag packets.
http://www.tcpdump.org/lists/workers/2005/11/msg00027.html
shows how to construct a filter that captures only TCP packets with
data in them. If it's not available, try the Google cache
http://72.14.203.104/search?q=cache:Gp-__401cXYJ:www.tcpdump.org/
lists/workers/2005/11/msg00027.html+%22guy+harris%22+tcp+ip+length
+filter+ack&hl=en&gl=us&ct=clnk&cd=1&client=safari
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
