TCP

The following parameters can be used to check TCP header properties:

Name

Description

.tcp.sport

Checking source port number or port range.

The following operators are supported: =, !=.

.tcp.dport

Checking destination port number or port range.

The following operators are supported: =, !=.

.tcp.window_size

Checking TCP window size.

The following operators are supported: <, >, <=, >=, =, !=.

.tcp.checksum

Verifying the checksum which is used to check for errors when sending and/or receiving a packet.

The following operators are supported: <, >, <=, >=, =, !=.

.tcp.seq

Checking values of TCP sequential numbers.

The following operators are supported: <, >, <=, >=, =, !=.

The relative modifier can be used to check against the starting number of the sequence.

Application:

.tcp.seq=<value>,relative;

here: <value> is the TCP sequential number.

.tcp.flags

Checking TCP flags:

.tcp.flags=[<mod>]<tcp_flags>;

here: <mod> --- modifier

<tcp_flags> --- TCP flag which can be specified in character or numeric (hexadecimal or decimal) format.

Flags:

  • 0: flags are not set

  • F, 1, 0X001: FIN

  • S, 2, 0X002: SYN

  • R, 4, 0X004: RST

  • P, 8, 0X008: PSH

  • A, 16, 0X010: ACK

  • U, 32, 0X020: URG

  • E, 64, 0X040: ECE

  • C, 128, 0X080: CWR

  • N, 256, 0X100: NS

Modifiers:

  • * --- at least one of specified flags should be set, the rest of the flags are not checked

  • + --- all specified flags should be set, the rest of the flags are not checked

  • ! --- all specified flags should be reset, the rest of the flags are not checked

  • !0 --- at least one (any) flag should be set

Important!If no modifier is set, then all specified flags should be set (strict match), and the rest of the flags should be reset.

.tcp.data_size

TCP packet payload size (without headers).

The following operators are supported: <, >, <=, >=, =, !=.

It is possible to specify it as .data_size (in this case the parameter will be applied to TCP and UDP protocols).