Get raw text for this example
// ***************************
// ***** TCP header ********
// ***************************
// Attention: you can use this header only if you build some complex headers, containing IP header
// This header must be combined with some other headers (on the channel level at least)
 
/* NOTE:     if some word begings with symbole . then it
's field'
s definition.   If such field already exists then its parameters will be rewritten.     The position of the newly defined field will be equal to the current position of byte pointer.   The byte pointer is initially equal to 0. It changes while specifying field's value (ex:
"srcport 80"
)   or while field's definition (ex:
".srcport 80s2."
). In any case it will be set after the just written value.     If this header is included from some other header then byte pointer may not be equal to 0.   Its current value will be used as the beginning of tcp header.     The comments before field's definition will be displayed when using -k option.  */
 
/*     0 1 2 3   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   | Source Port | Destination Port |   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   | Sequence Number |   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   | Acknowledgment Number |   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   | Data | |U|A|P|R|S|F| |   | OFFSET
PARAMETERS: <number of bites>
The position of the next defined field will be shifted to the left for the given <number of bits> which must be from 1 to 7. So every written value will be shifter to the left before writing. Nevertheless, after the writing the left bits will be also changed and set to 0. To avoid this use command MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
. See "headers/tcp_header.fws"
| Reserved |R|C|S|S|Y|I| Window |   | | |G|K|H|T|N|N| |   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   | Checksum | Urgent Pointer |   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   | Options | Padding |   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   | data |   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+     TCP Header Format    */
// port of source
 .srcport 32776s2.
/* While field's definition its value must be given.   The type of value will be determined automaticly and will become the type of field.   Decimal number are marked by symbole . at the end. Hexadecimal number - 0x at the beginning.   By default numbers are decimal.   For decimal numbers symbole
's'
may be used to specify the size of field follows this symbole.     After this definition byte pointer will be increased by 2.     */
// port of destination
.dstport 81s2.
// number of sequence
.num 1001s4.
// number of acknowledgement
.ack 200001s4.
// next two commands will be applied to next defined field only
MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
0xf0
// MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
command is used to limit the area of common field, the value will be written to only left four bits
OFFSET
PARAMETERS: <number of bites>
The position of the next defined field will be shifted to the left for the given <number of bits> which must be from 1 to 7. So every written value will be shifter to the left before writing. Nevertheless, after the writing the left bits will be also changed and set to 0. To avoid this use command MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
. See "headers/tcp_header.fws"
4
// OFFSET
PARAMETERS: <number of bites>
The position of the next defined field will be shifted to the left for the given <number of bits> which must be from 1 to 7. So every written value will be shifter to the left before writing. Nevertheless, after the writing the left bits will be also changed and set to 0. To avoid this use command MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
. See "headers/tcp_header.fws"
command is used to shift the area of decimal field to the left, the value will be multiplied by 16 (2^4)
// the length of TCP header (in fours of bytes, mask = 0xf0, OFFSET
PARAMETERS: <number of bites>
The position of the next defined field will be shifted to the left for the given <number of bits> which must be from 1 to 7. So every written value will be shifter to the left before writing. Nevertheless, after the writing the left bits will be also changed and set to 0. To avoid this use command MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
. See "headers/tcp_header.fws"
4)
.tcp.hlen 5
// tcp flags
.tcp.flags 0x02 BACK
PARAMETERS: <number of bytes>
Reduces the pointer for the given <number of bytes>.
1
// reduces byte pointer by 1 (BACK
PARAMETERS: <number of bytes>
Reduces the pointer for the given <number of bytes>.
to position of tcp.flags field)
// tcp flags alias
.tf 0x02
// the size of receiver window
.window 5840s2.
// tcp crc
.tcp.crc 0x0000
// the size of field will be determined by the size of hexadecimal number
// urg pointer
.urg 100s2.
// application's data (for header without options)
 .tcp.data
''
/* NOTE: symboles ' or " indicate the string type, fields with this type have no size,   any string may be specified later   */
// application's data
.td
''
// alias for tcp.data
PASS
PARAMETERS: <number of bytes>
Increases the byte pointer for the given <number of bytes>.
12
// increases the byte pointer by option's size
// application's data (for header with 12 bytes of options)
.tcpd
''
// start position of data for header with some popular options (see tcpstdopt.fws)
CLEARHISTORY
PARAMETERS: no parameters
Clears info about the maximum size of previous packets. New packet may be smaller than previous ones. This command also makes all auto-calculated values inactive.
// clearing the history of packets, otherwise the tcp packet will have size as though it has options
 tcp.crc TCPcrc
/* sets auto calculated value, tcp crc will be automaticly calculated before generation or waiting,   any concrete value may specified later if needed (ex:
"tcp.crc 0x0000"
)   */
tcp.data
''
// tcp ports
DEFINE
PARAMETERS: <name> <value>
Defines the substitution which will be applied while reading some values (in parameters to commands and others). <name> will be replaced by <value>. This substitution may be also performed in strings enclosed in apostrophes. In this case the <name> must be enclosed in $ (ex: 'value = $name$'. See also command GDEF
PARAMETERS: <new name> <original name>
Defines the substitution which will be applied while reading almost any read word from text. <New name> will be replaced by <original name>. This substitution may be also performed in strings enclosed in apostrophes. In this case the name must be enclosed in $ (ex: 'value = $name$').
.
http 80s2.
// after s - size of number
DEFINE
PARAMETERS: <name> <value>
Defines the substitution which will be applied while reading some values (in parameters to commands and others). <name> will be replaced by <value>. This substitution may be also performed in strings enclosed in apostrophes. In this case the <name> must be enclosed in $ (ex: 'value = $name$'. See also command GDEF
PARAMETERS: <new name> <original name>
Defines the substitution which will be applied while reading almost any read word from text. <New name> will be replaced by <original name>. This substitution may be also performed in strings enclosed in apostrophes. In this case the name must be enclosed in $ (ex: 'value = $name$').
.
ftp 21s2. DEFINE
PARAMETERS: <name> <value>
Defines the substitution which will be applied while reading some values (in parameters to commands and others). <name> will be replaced by <value>. This substitution may be also performed in strings enclosed in apostrophes. In this case the <name> must be enclosed in $ (ex: 'value = $name$'. See also command GDEF
PARAMETERS: <new name> <original name>
Defines the substitution which will be applied while reading almost any read word from text. <New name> will be replaced by <original name>. This substitution may be also performed in strings enclosed in apostrophes. In this case the name must be enclosed in $ (ex: 'value = $name$').
.
ftpd 20s2. DEFINE
PARAMETERS: <name> <value>
Defines the substitution which will be applied while reading some values (in parameters to commands and others). <name> will be replaced by <value>. This substitution may be also performed in strings enclosed in apostrophes. In this case the <name> must be enclosed in $ (ex: 'value = $name$'. See also command GDEF
PARAMETERS: <new name> <original name>
Defines the substitution which will be applied while reading almost any read word from text. <New name> will be replaced by <original name>. This substitution may be also performed in strings enclosed in apostrophes. In this case the name must be enclosed in $ (ex: 'value = $name$').
.
ssh 22s2.
// standart tcp flags combinations
DEFINE
PARAMETERS: <name> <value>
Defines the substitution which will be applied while reading some values (in parameters to commands and others). <name> will be replaced by <value>. This substitution may be also performed in strings enclosed in apostrophes. In this case the <name> must be enclosed in $ (ex: 'value = $name$'. See also command GDEF
PARAMETERS: <new name> <original name>
Defines the substitution which will be applied while reading almost any read word from text. <New name> will be replaced by <original name>. This substitution may be also performed in strings enclosed in apostrophes. In this case the name must be enclosed in $ (ex: 'value = $name$').
.
onesyn 0x02 DEFINE
PARAMETERS: <name> <value>
Defines the substitution which will be applied while reading some values (in parameters to commands and others). <name> will be replaced by <value>. This substitution may be also performed in strings enclosed in apostrophes. In this case the <name> must be enclosed in $ (ex: 'value = $name$'. See also command GDEF
PARAMETERS: <new name> <original name>
Defines the substitution which will be applied while reading almost any read word from text. <New name> will be replaced by <original name>. This substitution may be also performed in strings enclosed in apostrophes. In this case the name must be enclosed in $ (ex: 'value = $name$').
.
sa 0x12 DEFINE
PARAMETERS: <name> <value>
Defines the substitution which will be applied while reading some values (in parameters to commands and others). <name> will be replaced by <value>. This substitution may be also performed in strings enclosed in apostrophes. In this case the <name> must be enclosed in $ (ex: 'value = $name$'. See also command GDEF
PARAMETERS: <new name> <original name>
Defines the substitution which will be applied while reading almost any read word from text. <New name> will be replaced by <original name>. This substitution may be also performed in strings enclosed in apostrophes. In this case the name must be enclosed in $ (ex: 'value = $name$').
.
synack 0x12 DEFINE
PARAMETERS: <name> <value>
Defines the substitution which will be applied while reading some values (in parameters to commands and others). <name> will be replaced by <value>. This substitution may be also performed in strings enclosed in apostrophes. In this case the <name> must be enclosed in $ (ex: 'value = $name$'. See also command GDEF
PARAMETERS: <new name> <original name>
Defines the substitution which will be applied while reading almost any read word from text. <New name> will be replaced by <original name>. This substitution may be also performed in strings enclosed in apostrophes. In this case the name must be enclosed in $ (ex: 'value = $name$').
.
oneack 0x10 DEFINE
PARAMETERS: <name> <value>
Defines the substitution which will be applied while reading some values (in parameters to commands and others). <name> will be replaced by <value>. This substitution may be also performed in strings enclosed in apostrophes. In this case the <name> must be enclosed in $ (ex: 'value = $name$'. See also command GDEF
PARAMETERS: <new name> <original name>
Defines the substitution which will be applied while reading almost any read word from text. <New name> will be replaced by <original name>. This substitution may be also performed in strings enclosed in apostrophes. In this case the name must be enclosed in $ (ex: 'value = $name$').
.
onerst 0x04 DEFINE
PARAMETERS: <name> <value>
Defines the substitution which will be applied while reading some values (in parameters to commands and others). <name> will be replaced by <value>. This substitution may be also performed in strings enclosed in apostrophes. In this case the <name> must be enclosed in $ (ex: 'value = $name$'. See also command GDEF
PARAMETERS: <new name> <original name>
Defines the substitution which will be applied while reading almost any read word from text. <New name> will be replaced by <original name>. This substitution may be also performed in strings enclosed in apostrophes. In this case the name must be enclosed in $ (ex: 'value = $name$').
.
onefin 0x01 DEFINE
PARAMETERS: <name> <value>
Defines the substitution which will be applied while reading some values (in parameters to commands and others). <name> will be replaced by <value>. This substitution may be also performed in strings enclosed in apostrophes. In this case the <name> must be enclosed in $ (ex: 'value = $name$'. See also command GDEF
PARAMETERS: <new name> <original name>
Defines the substitution which will be applied while reading almost any read word from text. <New name> will be replaced by <original name>. This substitution may be also performed in strings enclosed in apostrophes. In this case the name must be enclosed in $ (ex: 'value = $name$').
.
fa 0x11 DEFINE
PARAMETERS: <name> <value>
Defines the substitution which will be applied while reading some values (in parameters to commands and others). <name> will be replaced by <value>. This substitution may be also performed in strings enclosed in apostrophes. In this case the <name> must be enclosed in $ (ex: 'value = $name$'. See also command GDEF
PARAMETERS: <new name> <original name>
Defines the substitution which will be applied while reading almost any read word from text. <New name> will be replaced by <original name>. This substitution may be also performed in strings enclosed in apostrophes. In this case the name must be enclosed in $ (ex: 'value = $name$').
.
finack 0x11 DEFINE
PARAMETERS: <name> <value>
Defines the substitution which will be applied while reading some values (in parameters to commands and others). <name> will be replaced by <value>. This substitution may be also performed in strings enclosed in apostrophes. In this case the <name> must be enclosed in $ (ex: 'value = $name$'. See also command GDEF
PARAMETERS: <new name> <original name>
Defines the substitution which will be applied while reading almost any read word from text. <New name> will be replaced by <original name>. This substitution may be also performed in strings enclosed in apostrophes. In this case the name must be enclosed in $ (ex: 'value = $name$').
.
ra 0x14 DEFINE
PARAMETERS: <name> <value>
Defines the substitution which will be applied while reading some values (in parameters to commands and others). <name> will be replaced by <value>. This substitution may be also performed in strings enclosed in apostrophes. In this case the <name> must be enclosed in $ (ex: 'value = $name$'. See also command GDEF
PARAMETERS: <new name> <original name>
Defines the substitution which will be applied while reading almost any read word from text. <New name> will be replaced by <original name>. This substitution may be also performed in strings enclosed in apostrophes. In this case the name must be enclosed in $ (ex: 'value = $name$').
.
rstack 0x14
// define Flags fields
 
/*     Control Bits: 6 bits (from left to right):     URG: Urgent Pointer field significant   ACK: Acknowledgment field significant   PSH: Push Function   RST: Reset the connection   SYN: Synchronize sequence numbers   FIN: No more data from sender    */
tcp.flags 0x02 BACK
PARAMETERS: <number of bytes>
Reduces the pointer for the given <number of bytes>.
1 MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
0x1
// fin flag
.fin 0 BACK
PARAMETERS: <number of bytes>
Reduces the pointer for the given <number of bytes>.
1 OFFSET
PARAMETERS: <number of bites>
The position of the next defined field will be shifted to the left for the given <number of bits> which must be from 1 to 7. So every written value will be shifter to the left before writing. Nevertheless, after the writing the left bits will be also changed and set to 0. To avoid this use command MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
. See "headers/tcp_header.fws"
1 MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
0x2
// syn flag
.syn 1 BACK
PARAMETERS: <number of bytes>
Reduces the pointer for the given <number of bytes>.
1 OFFSET
PARAMETERS: <number of bites>
The position of the next defined field will be shifted to the left for the given <number of bits> which must be from 1 to 7. So every written value will be shifter to the left before writing. Nevertheless, after the writing the left bits will be also changed and set to 0. To avoid this use command MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
. See "headers/tcp_header.fws"
2 MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
0x4
// rst flag
.rst 0 BACK
PARAMETERS: <number of bytes>
Reduces the pointer for the given <number of bytes>.
1 OFFSET
PARAMETERS: <number of bites>
The position of the next defined field will be shifted to the left for the given <number of bits> which must be from 1 to 7. So every written value will be shifter to the left before writing. Nevertheless, after the writing the left bits will be also changed and set to 0. To avoid this use command MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
. See "headers/tcp_header.fws"
3 MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
0x08
// push flag
.push 0 BACK
PARAMETERS: <number of bytes>
Reduces the pointer for the given <number of bytes>.
1 OFFSET
PARAMETERS: <number of bites>
The position of the next defined field will be shifted to the left for the given <number of bits> which must be from 1 to 7. So every written value will be shifter to the left before writing. Nevertheless, after the writing the left bits will be also changed and set to 0. To avoid this use command MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
. See "headers/tcp_header.fws"
4 MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
0x10
// ack flag
.ak 0 BACK
PARAMETERS: <number of bytes>
Reduces the pointer for the given <number of bytes>.
1 OFFSET
PARAMETERS: <number of bites>
The position of the next defined field will be shifted to the left for the given <number of bits> which must be from 1 to 7. So every written value will be shifter to the left before writing. Nevertheless, after the writing the left bits will be also changed and set to 0. To avoid this use command MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
. See "headers/tcp_header.fws"
5 MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
0x20
// urg flag
.ug 0 BACK
PARAMETERS: <number of bytes>
Reduces the pointer for the given <number of bytes>.
1 OFFSET
PARAMETERS: <number of bites>
The position of the next defined field will be shifted to the left for the given <number of bits> which must be from 1 to 7. So every written value will be shifter to the left before writing. Nevertheless, after the writing the left bits will be also changed and set to 0. To avoid this use command MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
. See "headers/tcp_header.fws"
6 MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
0x40
// ece flag
.ece 0 BACK
PARAMETERS: <number of bytes>
Reduces the pointer for the given <number of bytes>.
1 OFFSET
PARAMETERS: <number of bites>
The position of the next defined field will be shifted to the left for the given <number of bits> which must be from 1 to 7. So every written value will be shifter to the left before writing. Nevertheless, after the writing the left bits will be also changed and set to 0. To avoid this use command MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
. See "headers/tcp_header.fws"
7 MASK
PARAMETERS: <field's mask>
Defines the mask for the next defined field. Mask is hexadecimal number. Value for field will be written only in bits corresponding not null bits of mask. See "headers/tcp_header.fws".
0x80
// cwr flag
.cwr 0 BACK
PARAMETERS: <number of bytes>
Reduces the pointer for the given <number of bytes>.
1 tcp.data
''