Wireshark-users: Re: [Wireshark-users] SYN Capture Filter issue
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 17 Feb 2009 11:24:32 -0800

On Feb 17, 2009, at 11:06 AM, Bland Chuck-CNGR85 wrote:

That is VERY INTERESTING.

Yes, it does work correctly.

The documentation says the default slice size is one, so technically I
should not have to spec it. That's why I didn't try it before you
mentioned it.

The default slice size *is* one and you *shouldn't* have to spec it.

Code generated by libpcap 0.9.5 for "tcp[13] & 0x02 = 2" on Ethernet:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 11
(002) ldb      [23]
(003) jeq      #0x6             jt 4    jf 11
(004) ldh      [20]
(005) jset     #0x1fff          jt 11   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldb      [x + 27]				# fetches a byte
(008) and      #0x2
(009) jeq      #0x2             jt 10   jf 11
(010) ret      #96
(011) ret      #0

Code generated by libpcap 0.9.5 for "tcp[13:1] = 2" on Ethernet:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 10
(002) ldb      [23]
(003) jeq      #0x6             jt 4    jf 10
(004) ldh      [20]
(005) jset     #0x1fff          jt 10   jf 6
(006) ldxb     4*([14]&0xf)
(007) ldb      [x + 27]				# again, fetches a byte
(008) jeq      #0x2             jt 9    jf 10
(009) ret      #96
(010) ret      #0

The only difference is that the first one checks whether the 0x02 bit is set in that byte, and the second one checks whether that byte *is* 0x02, i.e. whether the 0x02 bit is set and no other bit is set. Neither one should pass packets with SYN not set; the latter won't pass SYN+ACK packets, so unless you only want the initial SYN, not any SYN+ACK reply, you don't want that.

In any case, *neither* of those filters should, as noted, pass any packets that don't have SYN set.

Could you download WinDump:

	http://www.winpcap.org/windump/install/default.htm

and, from the Windows command line, try

	windump -d "tcp[13] & 0x02 = 2"

and

	windump -d "tcp[13:1] = 2"

along with

	windump -h