Ethereal-users: Re: [ethereal-users] Filtering SYN Packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Jerry Talkington <jerryt@xxxxxxxxxx>
Date: Thu, 28 Oct 1999 13:10:05 -0700
* Guy Harris (guy@xxxxxxxxxx) done spit this rhetoric:
> > To only *display* packets with a SYN flag, you use:
> > frame[47 : 1] == 0x02
> 
> ...assuming that you have a 14-byte link-layer header and a 20-byte IP
> header; if you're not using Ethernet, or there are IP options, that's
> not necessarily the case.
> 
> It turned out that
> 
> 	(tcp[13:1] & 0x02) != 0
> 
> was invalid for reasons other than "you can't subscript 'tcp'"
> (unfortunately, as the error was "Unable to parse filter string", it
> didn't say what the reason was - I think we don't handle arbitrary
> arithmetic expressions in display filters) - and, besides, that gets all
> packets with SYN, so
> 
> 	tcp[13:1] == 0x02
> 
> should do the trick (regardless of how big the link-layer or IP header
> are).

Yes, I should have qualified that with `Or jus select a packet that has a
SYN flag, select the flag, and choose Match Selected, which is what I did.'
;)

-- 
Jerry Talkington
NetCache Escalation Engineer
Network Appliance, Inc.

integration, n. 1: The act of combining various system elements so that 
		   they can crash concurrently.