Freebsd – How to filter out “bad-len 0” packets with tcpdump

freebsdnetwork-monitoringtcpdump

When I listen internal network interface of router on freebsd, I get outputs like this

10:36:02.372026 IP 192.168.1.11.8888 > 192.168.1.2.49831: Flags [.], ack 1097, win 65050, length 0
10:36:02.374275 IP 46.163.78.160.123 > 192.168.1.2.32999: NTPv4, Server, length 48
10:36:02.376121 IP bad-len 0

My purpose is that filter out to "bad-len 0" packets with tcpdump itself (not grep etc.)
I tried to write "greater 0" filter options but it didn't work.

Best Answer

You can use this expression to filter ip packets with zero in ip length header feild:

tcpdump -petnvv -i em0 'ip[2:2] = 0'

See pcap-filter(4) for tcpdump expression syntax and RFC 791 or other resources, e. g. this for ip header structure.

Related Solutions

Monitoring HTTP traffic using tcpdump

tcpdump prints complete packets. "Garbage" you see are actually TCP package headers.

you can certainly massage the output with i.e. a perl script, but why not use tshark, the textual version of wireshark instead?

tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

it takes the same arguments as tcpdump (same library) but since its an analyzer it can do deep packet inspection so you can refine your filters even more, i.e.

tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -R'http.request.method == "GET" || http.request.method == "HEAD"'

tcpdump – How to Capture ACK or SYN Packets

The pcap filter syntax used for tcpdump should work exactly the same way on wireshark capture filter.

With tcpdump I would use a filter like this.

tcpdump "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

Check out the tcpdump man page, and pay close attention to the tcpflags.

Be sure to also check out the sections in the Wireshark Wiki about capture and display filters. Unfortunately the two types of filters use a completely different syntax, and different names for the same thing.

If you wanted a display filter instead of capture filter you would probably need to build an expression combining tcp.flags.ack, and tcp.flags.syn. I am far more familiar with capture filters though, so you'll have to work that out on your own.

http://wiki.wireshark.org/DisplayFilters
- Display filter ref: http://www.wireshark.org/docs/dfref/
- TCP display ref: http://www.wireshark.org/docs/dfref/t/tcp.html
http://wiki.wireshark.org/CaptureFilters

Best Answer

Related Solutions

Monitoring HTTP traffic using tcpdump

tcpdump – How to Capture ACK or SYN Packets

Related Topic