Reading tcpdump header length command

StackOverflow https://stackoverflow.com/questions/18777672

Question

This is my first post and I absolutely <3 this site! So much great content!

So, I have the following TCPDump command I want to understand what it is asking (in plain English).

tcpdump 'tcp[12] & 80 !=0'

Is it asking to grab all TCP packets on byte offset 12 (TCP Header length and Reserved bits) with values at least 80 that is true? I believe I am wrong.

If the above is true, can someone write out the possible binaries for it?

80 gives 0101 0000. My mentor also wrote down: 1111 0000 and 0111 0000. But I don't know why...

If it's at least 80, the binary combo for that could be countless...

Was it helpful?

Solution

Is it asking to grab all TCP packets on byte offset 12 (TCP Header length and Reserved bits) with values at least 80 that is true

No. 80 in decimal is 50 in hexadecimal, so it's equivalent to tcp[12] & 0x50 !=0, which tests whether either the 0100 0000 bit or the 0001 0000 bit in the 12th byte of the TCP header are set. That's true of 0101 0000, but is also true of 1111 0000 and 0111 0000, as well as 0100 0000 and 0001 0000 and 0100 1111 and....

If you want to test the uppermost bit of that byte, you'd use tcp[12] & 0x80 !=0. That would, in effect, match all values >= 0x80.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top