TCP traffic SYN/ACK packets that contain window scaling options

Window
scaling
options
retag add tags

Hello, in your opinion how can I filter TCP traffic SYN/ACK packets that does contain window scaling options?

Can I use !(window_size_scalefactor == -2)?

(tcp.flags.syn==1 && tcp.flags.ack==1) && !(tcp.window_size_scalefactor == -2)

Window size scaling factor: -1 (unknown, start of session not captured) Window size scaling factor: -2 (no window scaling used)

tlm

asked 2022-03-18 23:40:44 +0000

edit flag offensive 0 remove flag close merge delete

Comments

Is Window Scale Kind 3? Can I filter TCP traffic SYN/ACK packets that does contain window scaling options this way?

tcp.option_kind == 3 && tcp.flags.syn==1 && tcp.flags.ack==1

tlm (2022-03-18 23:52:59 +0000) edit

dfilter: Add bitwise masking of bits
When complete, you could streamline the flag check into tcp.flags & 0x012 == 0x012.
I'm not sure that's easier to read but more compact.

Chuckc (2022-03-22 00:44:00 +0000) edit

@Chuckc tcp.flags&18==18 is even more compact! ;-) I'm looking forward to this filter functionality in the next (major) release!

SYN-bit (2022-03-24 07:18:40 +0000) edit

add a comment see more comments

Comments

Chuckc, I wanted know if the options exists. Thank you for confirming that.

tlm (2022-03-19 02:00:21 +0000) edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

TCP traffic SYN/ACK packets that contain window scaling options edit

Comments

1 Answer

Comments