I have the following tcpdump -i eth0 -n tcp port 5000 to filter every packet flowing between 2 hosts. However, one of the hosts always sends an ACK.
How do I hide this ACK?
- 3Do you mean a TCP packet with the "ACK" TCP flag set or an ACK in another protocol on top of TCP? Note that many TCP packets usually have the ACK flag set. Do you mean packets with only that flag and no data?Stéphane Chazelas– Stéphane Chazelas2014-05-20 19:55:01 +00:00Commented May 20, 2014 at 19:55
Add a comment |
3 Answers
tcpdump -i eth0 -n 'tcp port 5000 and (tcp[tcpflags] & tcp-ack == 0)' should do what you want. It does bitwise and between TCP flags and ACK-only bitmask, so if there's no ACK, the result should equal to zero.
- ACK is just a flag in a packet, one of many. By blindly skipping packets with the ACK bit set, you can lose data because a packet can carry data and have the ACK bit set.rustyx– rustyx2016-04-25 08:46:15 +00:00Commented Apr 25, 2016 at 8:46
you can hide it by piping the command to grep:
tcpdump -i eth0 -n tcp port 5000 | grep -e ACK -v -e option is to select a pattern (ACK in your case) -v (to invert the grep function : grep all except the defined pattern) 
- 1I don't want to grep them. I want to filter them.bulkmoustache– bulkmoustache2014-05-20 20:00:45 +00:00Commented May 20, 2014 at 20:00
- It won't work because packets often takes more than one line — i.e. when one using an option of tcpdump to print the content.Hi-Angel– Hi-Angel2015-05-28 14:57:01 +00:00Commented May 28, 2015 at 14:57
I copied this straight from man tcpdump filters example:
To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
