Do not display ACK packets

Question

I have the following tcpdump -i eth0 -n tcp port 5000 to filter every packet flowing between 2 hosts. However, one of the hosts always sends an ACK.

How do I hide this ACK?

Do you mean a TCP packet with the "ACK" TCP flag set or an ACK in another protocol on top of TCP? Note that many TCP packets usually have the ACK flag set. Do you mean packets with only that flag and no data? — Stéphane Chazelas, May 20 '14 at 19:55

score 6 · Answer 1 · answered May 20 '14 at 20:22

6

tcpdump -i eth0 -n 'tcp port 5000 and (tcp[tcpflags] & tcp-ack == 0)' should do what you want. It does bitwise and between TCP flags and ACK-only bitmask, so if there's no ACK, the result should equal to zero.

answered May 20 '14 at 20:22

TNW

2,110

ACK is just a flag in a packet, one of many. By blindly skipping packets with the ACK bit set, you can lose data because a packet can carry data and have the ACK bit set. – rustyx Apr 25 '16 at 08:46

Nidal · Answer 2 · 2014-05-20T19:49:54.513

2

you can hide it by piping the command to grep:

tcpdump -i eth0 -n tcp port 5000 | grep -e ACK -v

-e option is to select a pattern (ACK in your case)
-v (to invert the grep function : grep all except the defined pattern)

edited May 20 '14 at 19:49

answered May 20 '14 at 19:41

Nidal

8,956

1

I don't want to grep them. I want to filter them. – bulkmoustache May 20 '14 at 20:00
It won't work because packets often takes more than one line — i.e. when one using an option of tcpdump to print the content. – Hi-Angel May 28 '15 at 14:57

score 1 · Answer 3 · answered Sep 25 '20 at 23:59

I copied this straight from man tcpdump filters example:

To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

Do not display ACK packets

3 Answers3