tcpdump patterns


I use tcpdump a lot, but mostly at a reasonably high level, only really restricting the capture to host and port info, then pulling the dump back into Wireshark for nicer visualisation and easier filtering.

A couple of months back I read Moonwalking With Einsten, which is a nice pop-science history of the importance of memory in previous societies, alongside the contemporary phenomena of competitive memory competitions. The book is great, and explains how feats of memory are achieved via the technique of memory palaces, a technique dating back to Roman times - spatial memory relationships. I've been using the technique a lot since I read this book, and truly, no magic to it, it really works. Basically, when you have a list of items to remember, you weave each item, in order, into a spatially focussed narrative.

So, last night, I get out my copy of TCP/IP Illustrated, Volume 1*, one of my most-returned-to tech books - I've always wanted to have a more encyclopedic knowledge of the lower level details of TCP/IP, and last night applied the Memory Palace Technique to the structure of a TCP packet.
(( read the wikipedia article for more details))

In my memory palace I was walking down the path towards the house where I grew up, and seeing a ‘SoRCerer/Src Port‘ battling with ‘Dick DaSTardly and Mutley/Dst Port‘, then walk into my mothers front hallway with a Sequence Number along the front hall, then my Grandfather sitting in a chair in the living room saying “ACK!” because the soccer is on the television and he's complaining about the Header Length … you get the idea - but yeah, you need to make your own memory palace.

Now that I have a complete image of this TCP packet in my head suddenly expressions like :

tcpdump -ni en1 tcp[13] == 18 and host and port 80

are way easier to understand and use - the tcp[13] part refers to the 13th Octet of the packet, which is the Flags octet, then the 18 part is a simple decimal representation of the binary flags, in the order they are in the diagram above - i.e the Flags are


so in my example 18 refers to having both the ACK and SYN flags set - 00010010 which if you're used to dealing with netmasks math is quite an easy translation. My example, then, will only capture the first response packet from the server, as it would be the only part of the conversation to have both an ACK and SYN flag set. (I used a separate memory palace for the flags themselves)

To capture all SYN packets, including the ACK/SYN ones, you would use:

tcpdump -ni en1 'tcp[13] == 18 or tcp[13] == 2' and host and port 80.

Memory Palaces are pretty damn useful!

** Most Engineers are aware of TCP/IP Illustrated, however a lot of people I've spoken to aren't aware there was a 2nd Edition published in November of 2011, updated by a guy named Kevin R. Fall - I would absolutely recommend it, an amazing book and especially with the updates, just seems an essential addition to any Engineer's library..