I am trying to understand how tcpdump
works and trying to read TCP header control flags SYN,ACK etc.
After researching online I came to know that the control flags are available at offset 13 and I need to use tcp[13] however I am not able to understand how this value 13 is been calculated.
Can anyone help?
Best Answer
TCP[13] is an array of bits (flags). When they're set to a 1 they're enabled, when they're a 0 they're disabled.
These
tcpdump
commands show how you can take the collection of TCP[13] bits and do bit-wise ands to test if the bits are enabled:The referenced URL (below) had this bullet which explains it as well:
TCP Header
If you take a look at the RFC 793 3.1 as well as this article on tcpdump advanced filters it becomes more obvious.
NOTE: These are the flags we're interested.
Calculating flag's position
You count the bytes (8 bits) from the top, numbering them at 0:
Bit order
I'll also mention that the number stored in byte 13 is ordered such that:
References