Capturing TCP packets with particular flag combinations (SYN-ACK, URG-ACK, etc.)


There are 8 bits in the control bits section of the TCP header:



Let's assume that we want to watch packets used in establishinga TCP connection.Recall that TCP uses a 3-way handshake protocolwhen it initializes a new connection; the connection sequence with regard to the TCP control bits is




1) Caller sends SYN 主叫发送SYN

2) Recipient responds with SYN, ACK 被叫发送ACK+SYN

3) Caller sends ACK  主叫收到ACK

Now we're interested in capturing packets that have only the SYN bit set (Step 1).

Note that we don't want packets from step 2(SYN-ACK), just a plain initial SYN.

What we need is a correct filter expression fort cpdump.

现在我们有兴趣在捕获只有SYN标识的数据包(第1步) 。



Recall the structure of a TCP header without options:


 0                            15                              31


|          source port          |       destination port        |


|                        sequence number                        |


|                     acknowledgment number                     |


|  HL   | rsvd  |C|E|U|A|P|R|S|F|        window size            |


|         TCP checksum          |       urgent pointer          |


A TCP header usually holds 20 octets of data, unless options are present.The first line of the graph contains octets 0 - 3, thesecond line shows octets 4 - 7 etc.



Starting to count with 0, the relevant TCP control bits are contained in octet 13:


 0             7|             15|             23|             31


|  HL   | rsvd  |C|E|U|A|P|R|S|F|        window size            |


|               |  13th octet   |               |               |

Let's have a closer look at octet no. 13:


                |               |




                |7   5   3     0|

These are the TCP control bits we are interested in.

We have numbered the bits in this octet from 0 to 7, right to left, so the PSH bit is bit number 3, while the URG bit is number 5.


Recall that we want to capture packets with only SYN set.

Let's see what happens to octet 13 if a TCP datagram arrives with the SYN bit set in its header:




                |0 0 0 0 0 0 1 0|


                |7 6 5 4 3 2 1 0|

Looking at the control bits section we see that only bit number 1 (SYN) is set.


Assuming that octet number 13 is an 8-bit unsigned integer innetwork byte order, the binary value of this octet is



and its decimal representation is


   7     6     5     4     3     2     1     0

0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 1*2 + 0*2  =  2

We're almost done, because now we know that if only SYN is set,the value of the 13th octet in the TCP header, when interpretedas a 8-bit unsigned integer in network byte order, must be exactly 2.

This relationship can be expressed as


tcp[13] == 2

We can use this expression as the filter for 

tcpdump in order to watch packets which have only SYN set:


tcpdump -i xl0 tcp[13] == 2

The expression says "let the 13th octet of a TCP datagram have the decimal value 2", which is exactly what we want.


Now, let's assume that we need to capture SYN packets, but wedon't care if ACK or any other TCP control bit is set at thesame time.Let's see what happens to octet 13 when a TCP datagramwith SYN-ACK set arrives:




     |0 0 0 1 0 0 1 0|


     |7 6 5 4 3 2 1 0|

Now bits 1 and 4 are set in the 13th octet.The binary value ofoctet 13 is


which translates to decimal

   7     6     5     4     3     2     1     0

0*2 + 0*2 + 0*2 + 1*2 + 0*2 + 0*2 + 1*2 + 0*2   = 18

Now we can't just use 'tcp[13] == 18' in the tcpdump filter expression, 

because that would select only those packets that have SYN-ACK set, but not those with only SYN set.

Remember that we don't care if ACK or any other control bit is set as long as SYN is set.

In order to achieve our goal, we need to logically AND the binary value of octet 13 with some other value to preservethe SYN bit.

We know that we want SYN to be set in any case,so we'll logically AND the value in the 13th octet withthe binary value of a SYN:

现在, 却不能只用'tcp[13] 18'作为tcpdump的过滤表达式, 因为这将导致只选择含有SYN-ACK标志的数据包, 其他的都被丢弃.

提醒一下自己, 我们的目标是: 只要包的SYN标志被设置就行, 其他的标志我们不理会.

为了达到我们的目标, 我们需要把13号字节的二进制值与其他的一个数做AND操作(nt:逻辑与)来得到SYN比特位的值. 

目标是:只要SYN 被设置就行, 于是我们就把她与上13号字节的SYN值(nt: 00000010).

          00010010 SYN-ACK              00000010 SYN

     AND  00000010 (we want SYN)   AND  00000010 (we want SYN)

          --------                      --------

     =    00000010                 =    00000010

We see that this AND operation delivers the same resultregardless whether ACK or another TCP control bit is set.The decimal representation of the AND value as well asthe result of this operation is 2 (binary 00000010),so we know that for packets with SYN set

 the followingrelation must hold true:

我们可以发现, 不管包的ACK或其他标志是否被设置, 以上的AND操作都会给我们相同的值, 其10进制表达就是2(2进制表达就是00000010).

从而我们知道, 对于带有SYN标志的数据包, 以下的表达式的结果总是真(true):

( ( value of octet 13 ) AND ( 2 ) ) == ( 2 )

This points us to the 

tcpdump filter expression

灵感随之而来, 我们于是得到了如下的tcpdump 的过滤表达式

tcpdump -i xl0 'tcp[13] & 2 == 2'

tcpdump -i xl0 'tcp[13] & 2 2'

Note that you should use single quotes or a backslashin the expression to hide the AND ('&') special characterfrom the shell.

注意, 单引号或反斜杆(nt: 这里用的是单引号)不能省略, 这可以防止shell对&的解释或替换.
