(I'm on tcpdump-workers, so you don't need to CC me - just ask
tcpdump-workers questions such as this.)
Amitesh Singh wrote:
what should be the string to pass a filter program in
pcap_setfilter() to capture only ACK packets.?
Do you mean "ACK-only" TCP packets, i.e. TCP segments that have an ACK
but no data?
Or do you mean "only ACK packets", i.e. TCP segments that have an ACK,
*even if they also have data*?
If it's "only ACK packets", the tcpdump man page says:
expr relop expr
...
For example, `ether[0] & 1 != 0' catches all
multicast
traffic. The expression `ip[0] & 0xf != 5'
catches all
IP packets with options. The expression
`ip[6:2] &
0x1fff = 0' catches only unfragmented datagrams
and frag
zero of fragmented datagrams. This check is
implicitly
applied to the tcp and udp index
operations. For
instance, tcp[0] always means the first byte of
the TCP
header, and never means the first byte of an
intervening
fragment.
Some offsets and field values may be expressed as
names
rather than as numeric values. The following
protocol
header field offsets are available: icmptype
(ICMP type
field), icmpcode (ICMP code field), and
tcpflags (TCP
flags field).
...
The following TCP flags field values are
available: tcp-
fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.
so "tcp[tcpflags] & tcp-ack != 0" will test for that, at least with
newer versions of libpcap (older versions will require you to use
numbers for "tcpflags" and "tcp-ack"; determining the numbers to use is
left as an exercise for the reader, with the help of RFC 793).
If, however, you mean "ACK-only packets", you not only have to check
whether the packet has the ACK flag set, you also have to test how much
TCP payload the packet has, and reject the packet if it has a non-zero
number of payload bytes, i.e.
(tcp[tcpflags] & tcp-ack != 0) && {number of payload bytes is not zero}
Unfortunately, calculating the payload length is complicated - it can be
done, but it's complicated. See
http://www.informit.com/articles/article.asp?p=130757&seqNum=6&rl=1
for some information on doing that.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.