Answer : Capture HTTP GET requests. This looks for the bytes 'G', 'E', 'T', and ' ' (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length. From Jefferson Ogata via the tcpdump-workers mailing list.
port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420
tcp[12:1] = In TCP header go to 12th byte and check 1 byte
0000 52 54 00 12 35 02 08 00 27 8b ba eb 08 00 45 00 RT..5... '.....E.
0010 02 9f f4 a7 40 00 40 06 00 d1 0a 00 02 0f 4a 7d ....@.@. ......J}
0020 ec 54 87 88 00 50 5f 77 33 ac 54 e2 78 02 50 18 .T...P_w 3.T.x.P.
0030 16 d0 45 72 00 00 47 45 54 20 2f 20 48 54 54 50 ..Er..GE T / HTTP
0040 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 77 77 77 2e /1.1..Ho st: www.
0050 67 6f 6f 67 6c 65 2e 63 6f 2e 69 6e 0d 0a 55 73 google.c o.in..Us
0060 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c er-Agent : Mozill
0070 61 2f 35 2e 30 20 28 58 31 31 3b 20 55 3b 20 4c a/5.0 (X 11; U; L
0080 69 6e 75 78 20 69 36 38 36 3b 20 65 6e 2d 55 53 inux i68 6; en-US
0090 3b 20 72 76 3a 31 2e 39 2e 30 2e 31 35 29 20 47 ; rv:1.9 .0.15) G
00a0 65 63 6b 6f 2f 32 30 30 39 31 30 32 38 31 34 20 ecko/200 9102814
The bold letter is tcp header, it will automatically get highlighted when you select tcp header.
So from above, tcp[12:1] = 50
50 & 0xf0 = 1010 0000 & 1111 0000 (Masking) = 0101 0000 = 50
0101 0000
1111 0000
-----------------
0101 0000
Now using Right Shift Bit Operator by 2
0101 0000 >> 0001 0100 = 20
Now,
tcp[20:4] = 47 45 54 20 (In Hex, which G E T)
port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420
tcp[12:1] = In TCP header go to 12th byte and check 1 byte
0000 52 54 00 12 35 02 08 00 27 8b ba eb 08 00 45 00 RT..5... '.....E.
0010 02 9f f4 a7 40 00 40 06 00 d1 0a 00 02 0f 4a 7d ....@.@. ......J}
0020 ec 54 87 88 00 50 5f 77 33 ac 54 e2 78 02 50 18 .T...P_w 3.T.x.P.
0030 16 d0 45 72 00 00 47 45 54 20 2f 20 48 54 54 50 ..Er..GE T / HTTP
0040 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 77 77 77 2e /1.1..Ho st: www.
0050 67 6f 6f 67 6c 65 2e 63 6f 2e 69 6e 0d 0a 55 73 google.c o.in..Us
0060 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c er-Agent : Mozill
0070 61 2f 35 2e 30 20 28 58 31 31 3b 20 55 3b 20 4c a/5.0 (X 11; U; L
0080 69 6e 75 78 20 69 36 38 36 3b 20 65 6e 2d 55 53 inux i68 6; en-US
0090 3b 20 72 76 3a 31 2e 39 2e 30 2e 31 35 29 20 47 ; rv:1.9 .0.15) G
00a0 65 63 6b 6f 2f 32 30 30 39 31 30 32 38 31 34 20 ecko/200 9102814
The bold letter is tcp header, it will automatically get highlighted when you select tcp header.
So from above, tcp[12:1] = 50
50 & 0xf0 = 1010 0000 & 1111 0000 (Masking) = 0101 0000 = 50
0101 0000
1111 0000
-----------------
0101 0000
Now using Right Shift Bit Operator by 2
0101 0000 >> 0001 0100 = 20
Now,
tcp[20:4] = 47 45 54 20 (In Hex, which G E T)