Ethereal-users: Re: [ethereal-users] Filtering SYN Packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Thu, 28 Oct 1999 12:56:12 -0700 (PDT)
> I just joined this list , so please don't flame me if this question
> was posted five minutes ago.
> I would like to know a filter-rule that captures only the SYN
> Packages, so that every connection attempt could be seen.

Unfortunately, the TCP flags field isn't yet added with an "add_item"
call, nor are the bitfields (e.g., the SYN bit), and it appears that
(unless I've missed something) you can't "subscript" "tcp" by itself, to
say "match packets where the byte at an offset of 13 from the beginning
of the TCP header, anded with 0x02, is non-zero", so I'm not sure you
can do it yet.  (Then again, perhaps I've missed something, and one can
construct such a filter - which should, unless I've miscounted TCP field
lengths, match only initial SYN packets.)

This is not a feature; somebody should fix up TCP to add more filterable
items - if nobody else does it, I'll look into doing that some time
today, so that the next release, at least, will let you do this.