tcpdump抓取无效TCP标志数据包表达式

没啥可说的, 直接代码.. :)

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdint.h>

// TCP 标志
#define TH_FIN  0x01
#define TH_SYN  0x02
#define TH_RST  0x04
#define TH_PUSH 0x08
#define TH_ACK  0x10
#define TH_URG  0x20
#define TH_ECE  0x40
#define TH_CWR  0x80

// TCP 合法标志组合, 标志PUSH, ECE, CWR为一直有效合法标志

static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) + 1] = {
    [TH_SYN]            = 1,
    [TH_SYN|TH_URG]         = 1,
    [TH_SYN|TH_ACK]         = 1,
    [TH_RST]            = 1,
    [TH_RST|TH_ACK]         = 1,
    [TH_FIN|TH_ACK]         = 1,
    [TH_FIN|TH_ACK|TH_URG]      = 1,
    [TH_ACK]            = 1,
    [TH_ACK|TH_URG]         = 1,
};

int main(int argc, char **argv)
{
    uint8_t flags_max = 0xff;
    uint8_t i;
    uint8_t flags = 0;
    uint8_t mask =  (uint8_t)~(TH_ECE | TH_CWR | TH_PUSH);
    for( i = 0; i < flags_max; i++ ){
        flags = i & mask;
        if ( tcp_valid_flags[flags] == 0 ) {
            // 标记已非法标志
            tcp_valid_flags[flags] = 0x2;
            printf("'tcp[13] & 0x%x = 0x%x' or ", mask, flags );
        }
    }
    printf("\n");
    return 0;
}

# gcc tcp_flags.c -o tcp_flags

# ./tcp_flags

输出

'tcp[13] & 0x37 = 0x0' or 'tcp[13] & 0x37 = 0x1' or 'tcp[13] & 0x37 = 0x3' or 'tcp[13] & 0x37 = 0x5' or 'tcp[13] & 0x37 = 0x6' or 'tcp[13] & 0x37 = 0x7' or 'tcp[13] & 0x37 = 0x13' or 'tcp[13] & 0x37 = 0x15' or 'tcp[13] & 0x37 = 0x16' or 'tcp[13] & 0x37 = 0x17' or 'tcp[13] & 0x37 = 0x15' or 'tcp[13] & 0x37 = 0x16' or 'tcp[13] & 0x37 = 0x17' or 'tcp[13] & 0x37 = 0x20' or 'tcp[13] & 0x37 = 0x21' or 'tcp[13] & 0x37 = 0x23' or 'tcp[13] & 0x37 = 0x24' or 'tcp[13] & 0x37 = 0x25' or 'tcp[13] & 0x37 = 0x26' or 'tcp[13] & 0x37 = 0x27' or 'tcp[13] & 0x37 = 0x20' or 'tcp[13] & 0x37 = 0x21' or 'tcp[13] & 0x37 = 0x23' or 'tcp[13] & 0x37 = 0x24' or 'tcp[13] & 0x37 = 0x25' or 'tcp[13] & 0x37 = 0x26' or 'tcp[13] & 0x37 = 0x27' or 'tcp[13] & 0x37 = 0x32' or 'tcp[13] & 0x37 = 0x33' or 'tcp[13] & 0x37 = 0x34' or 'tcp[13] & 0x37 = 0x35' or 'tcp[13] & 0x37 = 0x36' or 'tcp[13] & 0x37 = 0x37' or

去掉最后一个or 即是非法TCP标志组合 :)