Mar 01, 2020 · Tcpdump prints out the headers of packets on a network interface that match the Boolean expression.It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface.

The PSH flag is used to indicate that a TCP segment is the last in a sequence of segments sent by the application and that the receiving TCP should deliver these data directly to the application. The ACK flag is set in TCP segments where the acknowledgment sequence number field holds the next sequence number to be expected.

The filters above find these various packets because tcp[13] looks at offset 13 in the TCP header, the number represents the location within the byte, and the !=0 means that the flag in question is set to 1, i.e. it’s on.

PSH is an indication by the sender that, if the receiving machine's TCP implementation has not yet provided the data it's received to the code that's reading the data (program, or library used by a program), it should do so at that point. To quote RFC 793, the official specification for TCP: ldap - What is [PSH, ACK] doing during my connection to a

This tells the sending TCP to immediately "push" all the data it has to the recipient's TCP as soon as it is able to do so, without waiting for more data. When this function is invoked, TCP will create a segment (or segments) that contains all the data it has outstanding, and will transmit it with the PSH flag set.