protocol names in a BPF filters are case sensitive, so you need to use "udp" instead of "UDP" and "icmp" instead of "UDP".tcp=18 means: look at offset 13 in the packet and only capture the packet when its value is 18.This means the SYN-bit (2) and the ACK-bit (16) both needs to be set, but all other TCP flags must be unset Display filters will, by definition, show all packets that match the filter. tcp&18 = 2 means: look at offset 0xd (13 in decimal) and then take it's value and then only look at the bits for SYN (2) and ACK (16) by doing a logical AND.So if you apply a display filter for a destination IP address, it will always show you all packets that have that destination IP address. Go to Statistics > Endpoints and click on the IPv4 tab. This will show you each IP address only once.
If the result is exactly 2, then capture the packet. This means, the SYN-bit (2) needs to be set, the ACK-bit (16) needs to be unset and all other bits in the TCP flags can be set or unset (as they were masked by the AND (&) operator.
0 kommentar(er)
