From 76239ffb7cd329740ab129dfe602c62f7c6de85c Mon Sep 17 00:00:00 2001
From: Cong Nguyen <ntcong@users.noreply.github.com>
Date: Sun, 12 Apr 2020 20:17:14 +0700
Subject: [PATCH] correct ecn filter when ecn flag is set

p0f set ecn quirk in 2 scenarios: when tos_ecn is set, or tcp_ece&tcp_cwr flag is set.
Currently, bpftools only check if tos_ecn is set, which will generate the wrong filter
---
 bpftools/p0f.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bpftools/p0f.py b/bpftools/p0f.py
index 3c3169a..e34d838 100644
--- a/bpftools/p0f.py
+++ b/bpftools/p0f.py
@@ -3,7 +3,7 @@
 
 ip = {
     'hl':   '(ip[0] & 0xf)',
-    'ecn':  '(ip[1] & 0x2)',
+    'ecn':  '(ip[1] & 0x2) | (tcp[tcpflags] & 0xc0)',
     'tl':   'ip[2:2]',
     'ipid': 'ip[4:2]',
     'df':   '(ip[6] & 0x40)',