For instance, a WireShark capture filter example I found - tcp[13] & 8 == 8 represents packets with PSH flags.
How do I count the 8 ?
Based on the wikipedia image,
PSH is in the middle of the TCP flags segment. Counting 1 from the NS flag, PSH bit representation should be 6 ?
Any guidance is appreciated.
Time to read up on binary arithmetic! To grab the Nth rightmost bit from a byte, you do byte & (1 << N), so the rightmost bit is byte & (n << 0) and the 4th from the right is byte & (n << 3), which is the same as byte << 8.
You're also starting to count from the wrong place. NS may be the first flag, but it's also the end bit of byte 12. Byte 13 (as in tcp[13]) starts at bit 8 of line four (labelled "octet 12"), and runs to bit 15 on the same line.
You should look at tcpdump man page, "Capturing TCP packets with particular flag combinations" section - it's a lots of details here.
