Wireshark-users: Re: [Wireshark-users] SYN Capture Filter issue
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 17 Feb 2009 10:50:09 -0800

On Feb 17, 2009, at 10:34 AM, Bill Meier wrote:

  The following display filter isn't a valid display filter:
  tcp[13] & 0x02 = 2

It's not.

It *is*, however, a valid *capture* filter:

	$ tcpdump -d 'tcp[13] & 0x02 = 2'
	tcpdump: WARNING: en0: no IPv4 address assigned
	(000) ldh      [12]					# load Ethertype
	(001) jeq      #0x800           jt 2    jf 11		# compare against IPv4
	(002) ldb      [23]					# = IPv4; load IP protocol type
	(003) jeq      #0x6             jt 4    jf 11		# compare against TCP
	(004) ldh      [20]					# = TCP; load IP frag offset & flags
(005) jset #0x1fff jt 11 jf 6 # check whether this isn't the first frag
	(006) ldxb     4*([14]&0xf)				# not first frag; get IP header length
	(007) ldb      [x + 27]					# load TCP flags
	(008) and      #0x2					# AND with SYN
	(009) jeq      #0x2             jt 10   jf 11		# test whether set
	(010) ret      #96					# all tests succeeded
	(011) ret      #0					# all tests failed

(your mileage, and generated code, may vary depending on the link- layer type:

	$ tcpdump -i ppp0 -d 'tcp[13] & 0x02 = 2'
	(000) ldh      [2]					# load PPP protocol type
	(001) jeq      #0x21            jt 2    jf 11		# compare against Ipv4
	(002) ldb      [13]					# etc.
	(003) jeq      #0x6             jt 4    jf 11
	(004) ldh      [10]
	(005) jset     #0x1fff          jt 11   jf 6
	(006) ldxb     4*([4]&0xf)
	(007) ldb      [x + 17]
	(008) and      #0x2
	(009) jeq      #0x2             jt 10   jf 11
	(010) ret      #96
	(011) ret      #0