TCP Options – Final clue

November 19th, 2009 by Chris Leave a reply »

I’ve had one thread post and four e-mails that are soooooo close to the right answer. Here’s one last clue to hopefully get folks over the final hurdle.

I mentioned the helpful tshark command. Here’s the output:

C:\testing>tshark -n -r linux-syn.cap -T fields -e tcp.options
02:04:05:b4:04:02:08:0a:02:47:4a:a8:00:00:00:00:01:03:03:05

So what you have above is the TCP options section (byte 20 and higher) of the test packet. The Window Scale option is the last option in the list.

I know writing this filter is not easy. In fact that’s why I turned it into a challenge. It is possible however. ;)

Related posts:

  1. TCP Options Challenge – clues
  2. Tshark Challenge – The Final Answers
  3. TCP Options Challenge
  4. Oh where, oh where can WScale be?

Posted in 3-err, Packet Decoding

Tags:

You can follow any responses to this entry through the RSS 2.0 Feed. You can leave a response , or trackback from your own site.

Advertisement

1 comment

Add your comment
  1. Elizabeth Greene says:
    November 19, 2009 at 4:47 pm

    There has to be a better solution than just searching for the string 0×3,0×3. Seriously?

    Reply

Leave a Reply