>Hello, >I have just switched from using snoop to tcpdump. I am >getting my hands around creating filters for tcpdump. >I am looking a filter such as this: > > >tcp and (tcp[13] & 3 != 0) > > >Now I know that the 13 is they byte in the tcp header >at which either the syn,fin,ack,urg,push or restet >bits is set. However the "& 3 != 0" seem to make no >sense to me. could someone break this down for me? I >would really appreciate it as this seem to be the key >for creating filters based on flags. TIA > >__________________________________________________ >Do You Yahoo!? >Try FREE Yahoo! Mail - the world's greatest free email! >http://mail.yahoo.com/ >_______________________________________________ >Firewalls mailing list >Firewalls@lists.gnac.net >http://lists.gnac.net/mailman/listinfo/firewalls You've made a mistake in priority of the operators in boolean expression. This condition expression is equal to : tcp and ( ( tcp[13] & 3 ) !=0) //if there is FIN or SYN flag in the tcp packet. _______________________________________________ Firewalls mailing list Firewalls@lists.gnac.net http://lists.gnac.net/mailman/listinfo/firewalls