It is better to think of the number 3 as a bit mask 0b00000011
So the command says to and bitmask 3 with contents of byte[13] (masking
out all but the bottom 2 bits S,F) of the TCP header (starting at byte[0])
then test result to see if it 0 (neither the SYN nor FIN flags is set).
Bill Royds
Acting System Administrator,
Canadian Heritage Information Network
(819) 994-1200 X 239
kk downing <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
03/08/02 11:47 AM
To: "'Firewall-List'" <[EMAIL PROTECTED]>
cc:
Subject: tcpdump filter expressions ?
Hello,
I have just switched from using snoop to tcpdump. I am
getting my hands around creating filters for tcpdump.
I am looking a filter such as this:
tcp and (tcp[13] & 3 != 0)
Now I know that the 13 is they byte in the tcp header
at which either the syn,fin,ack,urg,push or restet
bits is set. However the "& 3 != 0" seem to make no
sense to me. could someone break this down for me? I
would really appreciate it as this seem to be the key
for creating filters based on flags. TIA
__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
