Blog

Understanding complex tcpdump filters

March 9, 2026

I finally understood more complex tcpdump (or rather pcap) filter rules. For example, straight from the pcap-filter(7) man page:

    To select all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets.

    tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)

The port filter should be obvious. Taking apart the code inside the brackets we get

ip[2:2] At offset 2 in the IP packet, read 2 bytes. This is the total length of the IP packet (which wraps the TCP packet)

(ip[0] & 0xf) << 2 Get the first byte of the IP packet. The first byte encodes the version and the header length in the high and low nibble respectively. We mask it with 0xf (00001111 in binary), throwing away the version in the higher nibble. Then we left-shift by 2 to decode the value of the header length.

(tcp[12] & 0xf0) >> 2 Get the byte at offset 12, which encoded the TCP header length in the higher nibble. Mask it with 0xf0 (11110000 in binary), to zero out the lower nibble. Then right-shift by two, to again decode the length.

Any packet that returns 0 after subtracting the header lengths from the total length contains no data, just like the man page advertises.

For a second example, here's a filter for HTTP POST requests:

tcp dst port 80 and tcp[((tcp[12] & 0xf0) >> 2):4] = 0x504f5354

Again, the port filter is obvious. The more interesting part breaks down to:

(tcp[12] & 0xf0) >> 2 This is exactly the same expression as already explained above and it will return the TCP header length. It is used here inside another TCP byte index, which effectively picks the offset of the first byte after the header. If we substitute this expression as headerLength, the filter can be simplified as tcp[headerLength:4]: We read the first four bytes of the TCP payload, which in HTTP contains the verb. The result is compared against 0x504f5354 which is simply POST encoded in hex.

Auto-delete files in specific folders in Nextcloud

13. Februar 2026

I am storing backups from mobile devices on my Nextcloud instance (32.0 at the time of this writing). Some apps support retention themselves and they only keep the last x backups. Some apps do not and they clutter and fill up my storage. To solve this I wanted to get Nextcloud to automatically delete files in my backup folder. This required some knowledge that I did not see in a single place, so I am putting all the info I needed into this post to make it easier for others.

Install Nextcloud apps

I solved my issue with two apps: “Files automated tagging” and “Retention”. You can find both under the “Flow” category in Nextcloud's app store. Install and enable them both, if you don't already have done this.

Automatic tagging

Initially I was unable to add a tag whenever I upload a backup. The solution turned out to be an extra step: Manually adding a tag to the backup folder. I chose “backup-folder” for the tag name. This allows us to create a rule to automatically tag all files added to this folder.

⚠️ I found that the “Manage tags” menu in the file view is the only place where I could add new tags. You will need to add the tag you automatically want to assign here first before being able to configure the flow in the next step.

Screenshot showing the "Manage tags" menu item

This is was we do next by creating a new tagging flow in the “Flow” section of your personal settings.

The “When” rule apparently cannot be changed and is always “File is changed”. In some documentation I saw other values, but I guess they changed this at some point. The rule we create is “File system tag” “is tagged with” “backup-folder” (or whichever tag you picked when manually adding a tag to your backup folder). And the outcome is adding a new tag like “auto-delete”. You can have different tags that, for example, contain the retention period in their name (something like “delete-in-one-week”) which would allow you to enforce different retention periods. This will require you to use different backup folder tags for each folder to use in your auto-tagging rule.

An auto-tagging flow

Configure retention rule

Retention is configured in the admin settings, again under the section “Flow”. Here you simply configure the rule for your automatically added tag (“auto-delete” or “delete-in-one-week” or whatever you used). Configure it however you want and save it.

⚠️ Be careful to not use the tag you manually added to the backup folder, otherwise all your backups will suddenly be gone.

And that's it!