| Expression | Description |
| [x:y] | start at offset x from the beginning of packet and read y bytes |
| [x] | abbreviation for [x:1] |
| proto[x:y] | start at offset x into the proto header and read y bytes |
| p[x:y] & z = 0 | p[x:y] has none of the bits selected by z |
| p[x:y] & z != 0 | p[x:y] has any of the bits selected by z |
| p[x:y] & z = z | p[x:y] has all of the bits selected by z |
| p[x:y] = z | p[x:y] has only the bits selected by z |
| The usual rules about operator precedence apply; nesting things inside brackets is probably a good plan. you'll probably want to put the filter into a file or at least single-quote it on the commandline to stop the shell from interpreting the metacharacters. !([:])& | |
| Parts of an IP Packet | |
| ip[0] & 0xf0 | High order nibble: IP version (4 = IPv4, 6 = IPv6) |
| ip[0] & 0x0f | Low order nibble: Header Length (Common Value = 5, Multiplier 4, 20 byte header) |
| ip[1] | Type of Service/QoS/DiffServ |
| ip[2:2] | Total length of datagram in octets |
| ip[4:2] | IP ID number |
| ip[6] & 0x80 | Reserved (Evil bit) |
| ip[6] & 128 != 0 | Evil bit set (RFC 3514 defines the evil bit as April Fools joke) |
| ip[6] & 0x40 | Don't Fragment bit |
| ip[6] & 0x20 | More Fragments bit |
| ip[6:2] & 0x1fff | Fragment Offset (number of 8 octet blocks) |
| ip[6:2] & 0x1fff != 0x000 | Fragment Offset is not 0 |
| ip[6:2] & 0x3fff != 0 | Look for ALL fragmented ip packets |
| ip[6] &0x20 = 0x20 or ip[6:2] &0x1fff != 0 | Look for more fragment bit set or fragment offset greater than 0 (Look for ALL fragmented ip packets) |
| ip[6] &0x20 = 0 and ip[6:2] &0x1fff != 0 | Look for more fragment bit not set and fragment offset greater than 0 (Last fragment packets) |
| ip[8] | TTL |
| ip[9] | Protocol |
| ip[9] = 0x01 | 1 = ICMP |
| ip[9] = 0x02 | 2 = IGMP |
| ip[9] = 0x06 | 6 = TCP |
| ip[9] = 0x09 | 9 = IGRP |
| ip[9] = 0x11 | 17 = UDP |
| ip[9] = 0x2F | 47 = GRE |
| ip[9] = 0x32 | 50 = ESP |
| ip[9] = 0x33 | 51 = AH |
| ip[10:2] | Header Checksum |
| ip[12:4] | Source IP |
| ip[16:4] | Destination IP |
| ip[20..60] | No IP Header Options |
| Parts of an ICMP Packet | |
| icmp[0] | Type |
| icmp[1] | Code |
| icmp[2:2] | Checksum |
| icmp[4...] | Payload |
| Parts of a UDP Packet | |
| udp[0:2] | source port |
| udp[2:2] | destination port |
| udp[4:2] | datagram length |
| udp[6:2] | UDP checksum |
| Parts of a TCP Packet | |
| tcp[0:2] | source port |
| tcp[2:2] | destination port |
| tcp[4:4] | sequence number |
| tcp[8:4] | acknowledgement number |
| tcp[12] | header length (Multiplier 4) |
| tcp[13] | tcp flags |
| tcp[14:2] | window size |
| tcp[16:2] | checksum |
| tcp[18:2] | urgent pointer |
| tcp[20..60] | options or data |
| Other Examples | |
| (tcp[13] & 0x02) != 0 | Contains SYN (maybe other stuff as well) |
| (tcp[13] & 0x03) = 3 | SYN / FIN |
| ip[12:4] = ip[16:4] | Land Attack |
| (tcp[2:2] = 139) && (tcp[13] & 0x20 != 0) && (tcp[19] & 0x01 = 1) | Winnuke |
| (tcp[13] & 0xe7) != 0 | Things other than ACK/PSH |
| (ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff = 0) | Initial fragments |
| (ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff != 0) | Intervening fragments |
| (ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0) | End of the fragment train |
| (ip[0] & 0x0f) != 5 | Has IP Options (or is truncated, or is just some sort of freak...) |
| ((ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)) && ((65535 < (ip[2:2] + 8*(ip[6:2] & 0x1fff)) | Ping-O-Death (any oversized IP-transported data...) |
| TCP Flags (Control Bits) | |||
| CWR | ECE | URG | ACK | PSH | RST | SYN | FIN | |||
| FIN = Finish | |||
| SYN = Synchronize | |||
| RST = Reset | |||
| PSH = Push | |||
| ACK = Acknowledgment | |||
| URG = Urgent | |||
| ECE = Explicit Congestion Notification Echo | |||
| CWR = Congestion Window Reduced | |||
| Filter | Flags | Binary Hex | Description |
| tcp[13] = 0x01 | ---- ---F | 0000 0001 = 0x01 | FIN only |
| tcp[13] = 0x02 | ---- --S- | 0000 0010 = 0x02 | SYN only |
| tcp[13] = 0x03 | ---- --SF | 0000 0011 = 0x03 | SYN-FIN |
| tcp[13] = 0x04 | ---- -R-- | 0000 0100 = 0x04 | RST only |
| tcp[13] = 0x05 | ---- -R-F | 0000 0101 = 0x05 | RST-FIN |
| tcp[13] = 0x06 | ---- -RS- | 0000 0110 = 0x06 | SYN-RST |
| tcp[13] = 0x07 | ---- -RSF | 0000 0111 = 0x07 | SYN-FIN-RST |
| tcp[13] = 0x08 | ---- P--- | 0000 1000 = 0x08 | PSH only |
| tcp[13] = 0x10 | ---A ---- | 0001 0000 = 0x10 | ACK only |
| tcp[13] = 0x12 | ---A --S- | 0001 0010 = 0x12 | SYN-ACK |
| tcp[13] = 0x14 | ---A -R-- | 0001 0100 = 0x14 | RST-ACK (it happens) |
| tcp[13] = 0x18 | ---A P--- | 0001 1000 = 0x18 | PSH-ACK |
| tcp[13] = 0x20 | --U- ---- | 0010 0000 = 0x20 | URG only |
| tcp[13] = 0x29 | --U- P--F | 0010 1001 = 0x29 | URG-PSH-FIN (nmap fingerprint packet) |
| tcp[13] = 0x38 | --UA P--- | 0011 1000 = 0x38 | PSH-URG-ACK interactive stuff like ssh |
| tcp[13] = 0x40 | -Y-- ---- | 0100 0000 = 0x40 | anything >= 0x40 has a reserved bit set |
| Tcp[13] = 0x80 | X--- ---- | 1000 0000 = 0x80 | CWR only |
| tcp[13] = 0xC0 | XY-- ---- | 1100 0000 = 0xC0 | Both ECN flags set |
| tcp[13] = 0xFF | XYUA PRSF | 1111 1111 = 0xFF | FULL_XMAS scan |
| tcp[13] & 1 != 0 | ---- ---F | 0000 0001 = 0x01 | FIN set |
| tcp[13] & 2 != 0 | ---- --S- | 0000 0010 = 0x02 | SYN set |
| tcp[13] & 4 != 0 | ---- -R-- | 0000 0100 = 0x04 | RST set |
| tcp[13] & 8 != 0 | ---- P--- | 0000 1000 = 0x08 | PSH set |
| tcp[13] & 16 != 0 | ---A ---- | 0001 0000 = 0x10 | ACK set |
| tcp[13] & 32 != 0 | --U- ---- | 0010 0000 = 0x20 | URG set |
| tcp[13] & 64 != 0 | -Y-- ---- | 0100 0000 = 0x40 | ECE set |
| tcp[13] & 128 != 0 | X--- ---- | 1000 0000 = 0x80 | CWR set |
*Some examples are from
http://staff.washington.edu/dittrich/talks/core02/tools/tcpdump-filters.txt and reformatted into a table. This site also has some other useful info and examples.
