tcpdump -n 'tcp[13] & 16 !=0' | wc -l v.s. tcpdump -n 'tcp[tcpflags] = tcp-ack' | wc -l ==> different results?

Question

I'm trying to understand the following;

When trying tcpdump -n 'tcp[13] & 16 !=0' | wc -l on a file, I get a different result (27833) than when I try tcpdump -n 'tcp[tcpflags] == tcp-ack' | wc -l (16433) on that same file.

I was hoping someone could explain me the difference.

score 0 · Answer 1 · answered Aug 03 '20 at 14:37

0

Ok, nevermind, I figured it out.

It seems that using 'tcp[13] & 16 !=0' will also display every packet that has that specific flag set, yet non-exclusively.

Using tcp[tcpflags] == tcp-ack would only show packets that have that flag set exclusively.

answered Aug 03 '20 at 14:37

Bart_S

17
1
3

tcpdump -n 'tcp[13] & 16 !=0' | wc -l v.s. tcpdump -n 'tcp[tcpflags] = tcp-ack' | wc -l ==> different results?

1 Answers1