Ed Ravin wrote:
On Mon, Nov 27, 2006 at 08:12:58PM +0000, Awais Awan wrote:
I am working with slow tools and i want to llok at different flags using
n-filter. I have managed to look at SYN packets with ip-tcp-flag set to
0x2 and ack packets with 0x10. Are these correct flags? Can i see at any
list of these tcp flags? Which tells me which flag represetns what. Like
they have told in the man pages that 0x2 will work for filtering SYN
packets. but what about other flags? is there any list that can tell me
the details of all falgs?
flags: bit (left to right in net order) URG ACK PSH RST SYN FIN
#define TH_FIN 0x01
#define TH_SYN 0x02
#define TH_RST 0x04
#define TH_PUSH 0x08
#define TH_ACK 0x10
#define TH_URG 0x20
I had the same questions you did a couple of years ago, and it turns out
that this information isn't in the flow-tools documentation. I found
the above by digging through the source code. The flags are the same as
found in the TCP packet header.
thanks for your help. Can you kindly point out the name of source file
which contains these definitions. If I have to look for the combination
of these flags in a flow, say a SYN and an ACK, should the following
filter (below) be enough?
filter-primitive prot
type ip-protocol
permit 6
filter-primitive synflag
type ip-tcp-flags
permit 0x2/0x2
filter-primitive ackflag
type ip-tcp-flags
permit 0x10/0x10
filter-primitive port80
type ip-port
permit 80
filter-primitive port25
type ip-port
permit 25
filter-definition packs
match ip-protocol prot
match ip-destination-port port25
match ip-tcp-flags synflag
or
match ip-protocol prot
match ip-destination-port port25
match ip-tcp-flags ackflag
---
It will give me flows with either SYN enabled or ACK enabeled. But I am
interested in flows having both SYN and ACK. Can you comment.
Awais
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
