On Mon, Jun 02, 2003 at 08:29:10AM -0500, Evers, John E. wrote:
> http://www.security-forums.com/forum/viewtopic.php?t=4489
Note also that with newer versions of libpcap, you can also refer to TCP
flags symbolically; from the current tcpdump man page:
Some offsets and field values may be
expressed as names rather than as numeric
values. The following protocol header field
offsets are available: icmptype (ICMP type
field), icmpcode (ICMP code field), and
tcpflags (TCP flags field).
The following ICMP type field values are
available: icmp-echoreply, icmp-unreach,
icmp-sourcequench, icmp-redirect, icmp-echo,
icmp-routeradvert, icmp-routersolicit, icmp-
timxceed, icmp-paramprob, icmp-tstamp, icmp-
tstampreply, icmp-ireq, icmp-ireqreply,
icmp-maskreq, icmp-maskreply.
The following TCP flags field values are
available: tcp-fin, tcp-syn, tcp-rst, tcp-
push, tcp-ack, tcp-urg.
...
To print the start and end packets (the SYN and FIN pack-
ets) of each TCP conversation that involves a non-local
host.
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'
This requires WinPcap 3.0 on Windows, and libpcap 0.7 or later on UNIX.