TCP Options Challenge

November 18th, 2009 by Chris Leave a reply »

I’ve had a bit going on including the release of a new reference tool for the Apple iPhone and iPod. The tool is call Packet Decode and I’ve setup an alternate site to help maintain it.

I feel bad at neglecting this site over the last few weeks, so I’ve decided to throw out another challenge. The winner will receive a free copy of the above mentioned Packet Decode tool. OK, so you will not be able to retire on the proceeds, but hopefully the tool will make your life a bit easier. ;)

So here’s the challenge:

Write a tcpdump or Windump filter that will only capture packets that have the TCP “Window Scale” option set. All other TCP option settings can be ignored.

Pretty simple, eh? First person to post the answer in the comments section gets the prize.

Related posts:

  1. TCP Options Challenge – clues
  2. TCP Options – Final clue
  3. Tshark Decode Challenge
  4. Tshark Challenge – Hints 3
  5. Tshark Challenge – Uber-geek Answer

Posted in 2-alert, Packet Decoding

Tags:

You can follow any responses to this entry through the RSS 2.0 Feed. You can leave a response , or trackback from your own site.

Advertisement

2 comments

Add your comment
  1. Elizabeth Greene says:
    November 18, 2009 at 12:29 pm

    I’m probably way off here.. but is it
    tcpdump -i eth0 ‘tcp[13] & 2 == 2 and tcp[12] & 240 > 80 and tcp[20] == 3′

    In english,

    is a syn packet
    ‘tcp[13] & 2 == 2′

    Header is longer than 5 32 bit words.
    ‘tcp[12] & 240 > 80′

    The first TCP option is 3.
    ‘tcp[20] == 3′

    This solution wouldn’t work if another TCP option was specified before window scaling.

    Reply
  2. Chris says:
    November 18, 2009 at 1:52 pm

    You are not way off, very close!

    Here’s a Linux system that negotiates a WScale value of 5:
    http://www.chrisbrenton.org/wp-content/uploads/2009/11/linux-syn.zip

    Your filter is close, but does not catch it. Slight rewrite maybe? ;)

    Reply

Leave a Reply