![<\/a>](\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2011\/03\/tcp_state_machine.jpg\"){kind=link}
![\"tcp_state_machine\"](\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2011\/03\/tcp_state_machine1.jpg\" "\\"tcp_state_machine\\"")
<\/a>\nUSING TCPDUMP TO FILTER ON FLAGS:<\/strong><\/p>\n
The flags are defined in the 14th byte of the TCP header.<\/p>\n
+-+-+-+-+-+-+-+-+
\n|C|E|U|A|P|R|S|F|
\n|W|C|R|C|S|S|Y|I|
\n|R|E|G|K|H|T|N|N|
\n+-+-+-+-+-+-+-+-+<\/p><\/blockquote>\nIn the TCP 3-way handshakes, the exchange between hosts goes like this :<\/p>\n
1. Source sends SYN
\n2. Destination answers with SYN, ACK
\n3. Source sends ACK<\/p>\n– If we want to match packets with only the SYN flag set, the 14th byte would have a binary
\nvalue of 00000010 which equals 2 in decimal.
\n# tcpdump -i eth1 ‘tcp[13] = 2’<\/p>\n– Matching SYN, ACK (00010010 or 18 in decimal)
\n# tcpdump -i eth1 ‘tcp[13] = 18’<\/p>\n– Matching either SYN only or SYN-ACK datagrams
\n# tcpdump -i eth1 ‘tcp[13] & 2 = 2’<\/p>\nWe used a mask here. It will returns anything with the ACK bit set (thus the SYN-ACK combination as well)<\/p>\n
Let’s assume the following examples (SYN-ACK)<\/p>\n
00010010 : SYN-ACK packet
\n00000010 : mask (2 in decimal)
\n——–
\n00000010 : result (2 in decimal)<\/p>\nEvery bits of the mask match !<\/p>\n
– Matching PSH-ACK packets
\n# tcpdump -i eth1 ‘tcp[13] = 24’<\/p>\n– Matching any combination containing FIN (FIN usually always comes with an ACK so we either
\nneed to use a mask or match the combination ACK-FIN)
\n# tcpdump -i eth1 ‘tcp[13] & 1 = 1’<\/p>\n– Matching RST flag
\n# tcpdump -i eth1 ‘tcp[13] & 4 = 4’<\/p>\nUSING WIRESHARK:<\/strong>
\nBy simply using “tcp.flags & [number]” (without the quotes), you can easily filter interesting parts of the TCP conversation (such as SYN, SYN\/ACK, FIN and FIN\/ACK.<\/p>\n
![<\/a>](\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2011\/03\/tcpflags1.jpg\"){kind=link}