Linux – TCP dump: Match exact packet length

TCP dump: Match exact packet length… here is a solution to the problem.

TCP dump: Match exact packet length

I need to grab packets with a length equal to 16 bytes

What I get is closer to this:

tcpdump -ni lo -ttt dst port 1337 and greater 16

If I add other filters to match my wishes :

tcpdump -ni lo -ttt dst port 1337 and greater 16 and not greater 17
tcpdump -ni lo -ttt dst port 1337 and \(greater 16 and not greater 17\)
tcpdump -ni lo -ttt dst port 1337 and greater 16 and less 16

It just doesn’t show any packets at all.

Although, use:

tcpdump -ni lo -ttt dst port 1337 and less 16

Doesn’t seem to work either, I’m actually wandering if the less filter works….

Any help is welcome 🙂

Solution

As Barry Margolin points out, the greater operator checks the entire length of the packet, including all headers. A 16-byte TCP payload plus a 20-byte TCP header (this is the minimum TCP header length, no options) plus a 20-byte IPv4 header (this is the minimum IPv4 header length, no options) plus a 14-byte Ethernet header, for example, 70 bytes.

I guess from “lo” that you are capturing on Linux and capturing on the loopback interface (interface), in which case the packet has a (fake) Ethernet header.

68 bytes is the default snapshot length in older versions of tcpdump, IPv6 is not supported when built, so the length that may be reported as 68 is the length of the capture and the last 2 bytes are truncated. Try running tcpdump with the flag -o 0 (unless it’s a really old version of tcpdump, a snapshot length of 0 would mean “set the snapshot length very high so that packets don’t get cut off).

Related Problems and Solutions