tcpdump filter to get all packets with tcp options kind equals to x

Question

spend couple of hours looking for tcpdump filter to get all packets with tcp option kind equals to x ( specifically 8 ). Wireshark's filter is simply tcp.option_kind == 8.

After reading https://www.wains.be/pub/networking/tcpdump_advanced_filters.txt tried using 'tcp[22] =8' with no luck

Your assistance will be appreciated :) Thanks

Answer 1

I only have a partial answer for you. If the option you're looking for happens to always be the 1st TCP option, then you can use the following filter:

"(((tcp[12] & 0xf0) >> 2) > 20) && tcp[20] = 8"

What does this filter do? This filter isolates the data offset field (i.e., the TCP header length) to first ensure that the TCP header contains any options at all. Since the data offset field comprises only the 1st 4 bits of the byte at offset 12 of the TCP header, we have to isolate those bits by applying a mask of 0xf0. Next, the value is shifted 4 bits to the right to convert this to a number we can use and then multiplied by 4 (or shifted back to the left 2 bits) since the data offset represents the number of 32-bit words of the header. The equivalent of shifting right by 4 and then left by 2 is simply to shift right by 2. If the data offset value is greater than 20 bytes, then we know that some TCP options are present and we can compare the byte at offset 20, which is the location of the 1st option's "kind" field, to the TCP option kind of interest, in this case 8, which is the timestamps option.

Again, the above filter will only work if the TCP option of interest is always the 1st option. If the option occurs after other options, it will fail to capture those packets. Expanding this filter to capture the TCP option of interest regardless of its location may be possible, but I don't think it will be easy to do.