On Feb 17, 2009, at 10:34 AM, Bill Meier wrote:
The following display filter isn't a valid display filter:
tcp[13] & 0x02 = 2
It's not.
It *is*, however, a valid *capture* filter:
$ tcpdump -d 'tcp[13] & 0x02 = 2'
tcpdump: WARNING: en0: no IPv4 address assigned
(000) ldh [12] # load Ethertype
(001) jeq #0x800 jt 2 jf 11 # compare against IPv4
(002) ldb [23] # = IPv4; load IP protocol type
(003) jeq #0x6 jt 4 jf 11 # compare against TCP
(004) ldh [20] # = TCP; load IP frag offset & flags
(005) jset #0x1fff jt 11 jf 6 # check whether this
isn't the first frag
(006) ldxb 4*([14]&0xf) # not first frag; get IP header length
(007) ldb [x + 27] # load TCP flags
(008) and #0x2 # AND with SYN
(009) jeq #0x2 jt 10 jf 11 # test whether set
(010) ret #96 # all tests succeeded
(011) ret #0 # all tests failed
(your mileage, and generated code, may vary depending on the link-
layer type:
$ tcpdump -i ppp0 -d 'tcp[13] & 0x02 = 2'
(000) ldh [2] # load PPP protocol type
(001) jeq #0x21 jt 2 jf 11 # compare against Ipv4
(002) ldb [13] # etc.
(003) jeq #0x6 jt 4 jf 11
(004) ldh [10]
(005) jset #0x1fff jt 11 jf 6
(006) ldxb 4*([4]&0xf)
(007) ldb [x + 17]
(008) and #0x2
(009) jeq #0x2 jt 10 jf 11
(010) ret #96
(011) ret #0