5

Reading the manpage of tcpdump I found this example

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

but I don't understand it, especially the last part.

The tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 part filters all the packets having either the SYN or the FIN bit set.

What does not src and dst net localnet filter?

The explanation in the same manpage says

To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.

but in my opinion src is not an expression by itself.

Improve this question

1 Answer 1

Reset to default
7

You can parse the second part of that filter thusly

not ( (src and dest) net localnet )

It's shorthand for

not src net localnet and not dest net localnet
Improve this answer
1
  • Thank you. I thought that in order to use logical operator (as and) I MUST HAVE a complete true or false expression in every side. If I write not(src net localnet and dst net localnet), does it have the same meaning? Commented Nov 8, 2012 at 8:47

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.