What does this tcpdump line means?

Reading the manpage of tcpdump I found this example

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

but I don’t understand it, especially the last part.

The tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 part filters all the packets having either the SYN or the FIN bit set.

What does not src and dst net localnet filter?

The explanation in the same manpage says

To print the start and end packets (the SYN and FIN packets) of each
TCP conversation that involves a non-local host.

but in my opinion src is not an expression by itself.

Asked By: JustTrying


You can parse the second part of that filter thusly

not ( (src and dest) net localnet )

It’s shorthand for

not src net localnet and not dest net localnet
Answered By: utopiabound
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.