When I listen internal network interface of router on freebsd, I get outputs like this
10:36:02.372026 IP 192.168.1.11.8888 > 192.168.1.2.49831: Flags [.], ack 1097, win 65050, length 0
10:36:02.374275 IP 46.163.78.160.123 > 192.168.1.2.32999: NTPv4, Server, length 48
10:36:02.376121 IP bad-len 0
My purpose is that filter out to "bad-len 0" packets with tcpdump itself (not grep etc.)
I tried to write "greater 0" filter options but it didn't work.
Best Answer
You can use this expression to filter ip packets with zero in ip length header feild:
See pcap-filter(4) for tcpdump expression syntax and RFC 791 or other resources, e. g. this for ip header structure.