Earlier I posted a challenge to write a tcpdump/Windump filter that would capture packets that have the TCP option “Window Scale” set. Some folks are close, but I wanted to post a few hints. Also, I have no problem with you e-mailing me directly, but to win the challenge you have to post the answer to the comments section. That way there is no question as to who found the answer first.
All TCP options are specified by a “Registry Kind” value (similar to the ICMP “Type” field). In the case of Window Scale, that value is 3. Also, all TCP options except for NOP contain a secondary field called “Length”. This defines how many bytes the options is using, including the “Registry Kind” byte. In the case of Window Scale the length value is always 3. So we have:
- 1 byte for Registry Kind
- 1 byte for Length
- 1 byte for the actual WScale value
Hint 2: If you have never drilled into the TCP Options field, tshark has a cool option:
tshark -n -r capture-file.cap -T fields -e tcp.options
This will output the entire TCP options field in Hex so you can at least see what it looks like.
Final clue, I’ve posted a Linux SYN packet which sets WScale to 5 for you to use to check your filter.
Good luck!
Chris
Related posts:
