Re: [tcpdump-workers] Capturing only ACK Packets using PCAP_SETFILTER()

Wed, 14 Dec 2005 00:33:30 -0800

(I'm on tcpdump-workers, so you don't need to CC me - just ask tcpdump-workers questions such as this.) 

Amitesh Singh wrote:
what should be the string to pass a filter program in pcap_setfilter() to capture only ACK packets.?
Do you mean "ACK-only" TCP packets, i.e. TCP segments that have an ACK but no data? 


Or do you mean "only ACK packets", i.e. TCP segments that have an ACK, 
*even if they also have data*?


If it's "only ACK packets", the tcpdump man page says:

             expr relop expr

                  ...


                    For  example,  `ether[0]  & 1 != 0' catches all 
multicast
                    traffic.  The expression `ip[0] & 0xf != 5'  
catches  all
                    IP  packets  with  options.   The  expression  
`ip[6:2] &
                    0x1fff = 0' catches only unfragmented datagrams 
and  frag
                    zero  of  fragmented datagrams.  This check is 
implicitly
                    applied  to  the  tcp  and  udp  index  
operations.   For
                    instance,  tcp[0]  always means the first byte of 
the TCP
                    header, and never means the first byte of an  
intervening

                    fragment.

            
                    Some  offsets  and field values may be expressed as 
names
                    rather than as numeric values.   The  following  
protocol
                    header  field  offsets are available: icmptype 
(ICMP type
                    field), icmpcode (ICMP code  field),  and  
tcpflags  (TCP

                    flags field).

                        ...


                    The following TCP flags field values are 
available:  tcp-

                    fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.


so "tcp[tcpflags] & tcp-ack != 0" will test for that, at least with 
newer versions of libpcap (older versions will require you to use 
numbers for "tcpflags" and "tcp-ack"; determining the numbers to use is 
left as an exercise for the reader, with the help of RFC 793).



If, however, you mean "ACK-only packets", you not only have to check 
whether the packet has the ACK flag set, you also have to test how much 
TCP payload the packet has, and reject the packet if it has a non-zero 
number of payload bytes, i.e.


   (tcp[tcpflags] & tcp-ack != 0) && {number of payload bytes is not zero}


Unfortunately, calculating the payload length is complicated - it can be 
done, but it's complicated.  See


   http://www.informit.com/articles/article.asp?p=130757&seqNum=6&rl=1

for some information on doing that.


-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.






















					Reply via email to