I need to capture packets with length equal to 16 bytes
The closer i came with is this:
tcpdump -ni lo -ttt dst port 1337 and greater 16
if I add other filters to match my will like :
tcpdump -ni lo -ttt dst port 1337 and greater 16 and not greater 17
tcpdump -ni lo -ttt dst port 1337 and \(greater 16 and not greater 17\)
tcpdump -ni lo -ttt dst port 1337 and greater 16 and less 16
It just doesn't show any packets at all.
Althought, using :
tcpdump -ni lo -ttt dst port 1337 and less 16
doesn't seem to work neither, i'm actually wandering if the less filter works...
Any help is welcome :)
As Barry Margolin indicated, the greater operator checks the length of the entire packet, including all headers. 16 bytes of TCP payload plus 20 bytes of TCP header (that's the minimum TCP header length, without options) plus 20 bytes of IPv4 header (that's the minimum IPv4 header length, without options) plus 14 bytes of Ethernet header, for example, is 70 bytes.
I'm guessing from "lo" that you're capturing on Linux and capturing on the loopback interface, in which case packets have a (fake) Ethernet header.
68 bytes was the default snapshot length in older versions of tcpdump, when built without IPv6 support, so perhaps the length being reported as 68 is the captured length, with the last 2 bytes being cut off. Try running tcpdump with the flags -o 0 (unless it's a really old version of tcpdump, a snapshot length of 0 will mean "set the snapshot length really high so that packets don't get cut off).