On Feb 17, 2009, at 11:06 AM, Bland Chuck-CNGR85 wrote:
That is VERY INTERESTING.
Yes, it does work correctly.
The documentation says the default slice size is one, so technically I
should not have to spec it. That's why I didn't try it before you
mentioned it.
The default slice size *is* one and you *shouldn't* have to spec it.
Code generated by libpcap 0.9.5 for "tcp[13] & 0x02 = 2" on Ethernet:
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 11
(002) ldb [23]
(003) jeq #0x6 jt 4 jf 11
(004) ldh [20]
(005) jset #0x1fff jt 11 jf 6
(006) ldxb 4*([14]&0xf)
(007) ldb [x + 27] # fetches a byte
(008) and #0x2
(009) jeq #0x2 jt 10 jf 11
(010) ret #96
(011) ret #0
Code generated by libpcap 0.9.5 for "tcp[13:1] = 2" on Ethernet:
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 10
(002) ldb [23]
(003) jeq #0x6 jt 4 jf 10
(004) ldh [20]
(005) jset #0x1fff jt 10 jf 6
(006) ldxb 4*([14]&0xf)
(007) ldb [x + 27] # again, fetches a byte
(008) jeq #0x2 jt 9 jf 10
(009) ret #96
(010) ret #0
The only difference is that the first one checks whether the 0x02 bit
is set in that byte, and the second one checks whether that byte *is*
0x02, i.e. whether the 0x02 bit is set and no other bit is set.
Neither one should pass packets with SYN not set; the latter won't
pass SYN+ACK packets, so unless you only want the initial SYN, not any
SYN+ACK reply, you don't want that.
In any case, *neither* of those filters should, as noted, pass any
packets that don't have SYN set.
Could you download WinDump:
http://www.winpcap.org/windump/install/default.htm
and, from the Windows command line, try
windump -d "tcp[13] & 0x02 = 2"
and
windump -d "tcp[13:1] = 2"
along with
windump -h