I'm quite new to networking and I got stuck while reading "Practical Packet Analysis: Using Wireshark to Solve…".
On page 61 it is written:
A common scenario is to capture only TCP packets with the RST flag
set. We will cover TCP extensively in Chapte r 6. For now, you just
need to know that the flags of a TCP packet are located at offset
13. This is an interesting field because it is collectively 1 byte in size as the flags field, but each particular flag is identified by
a single bit within this byte. Multiple flags can be set
simultaneously in a TCP packet, so we can’t efficiently filter by a
single tcp[13] value because several may represent the RST bit being
set. Therefore, we must specify the location within the byte that we
wish to examine by appending that location to the current primitive
with a single ampersand ( & ). The RST flag is at the bit
representing the number 4 within this byte, and the fact that this
bit is set to 4 tells us that the flag is set. The filter looks like
this:
tcp[13] & 4 == 4
But when I look on TCP header on wiki, I see the RST flag is the 5th bit within the 13th byte (?)
My questions:
- Why is it looking for the 4th bit within the 13 byte (
tcp[13] & 4) ? Shouldn't be the 5th like marked in the picture? - Why is comparing the value of the flag with 4? TCP Contains 9 1-bit flags Shouldn't the value of flag be either 0 or 1 ?
- In order to check for URG flag, the book mentions filter
tcp[13] & 32 == 32which I really don't get?
Thanks!
Best Answer
refers to the numerical value of bit 2 (22 = 4) - the bits are numbered 76543210 from MSB to LSB with the numerical values 128, 64, 32, 16, 8, 4, 2, 1.
In the same manner, URG is bit 5 and 25 = 32.