65

I want to use a filter rule to capture only ack or syn packets. How do I do this?

Aaron Hall
  • 296
  • 3
  • 12
larry
  • 3,927
  • 9
  • 35
  • 41
  • Personally I would not do this. I'd capture all packets, then filter on SYN and ACK flags later. If you're troubleshooting TCP, you almost always want to see a whole conversation, not just a handshake or ACK. If you're not interested in the actual data payload, you can limit packet size with `tcpdump -s SIZE`. The TCP header can be a variable length, so capturing `-s 128` will probably get all possible headers and maybe a little bit of data. – suprjami Dec 07 '14 at 01:02
  • 4
    Maybe you're not troubleshooting TCP. Maybe you want to see how chatty a program is, and you want to count its outbound connections. Like me, now. – Dan Pritts Apr 25 '16 at 20:41
  • In my case I needed to count the occurrences of SYN retransmissions due to TIME_WAIT socket exhaustion. All I needed were the SYN packets. Legitimate use case by the OP I would say. – Christoph Nov 20 '19 at 13:10
  • Related: [Capture only TCP SYN-ACK packets with tcpdump](https://superuser.com/questions/1542222/capture-only-tcp-syn-ack-packets-with-tcpdump) – red0ct Apr 16 '20 at 12:01

6 Answers6

100

The pcap filter syntax used for tcpdump should work exactly the same way on wireshark capture filter.

With tcpdump I would use a filter like this.

tcpdump "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

Check out the tcpdump man page, and pay close attention to the tcpflags.

Be sure to also check out the sections in the Wireshark Wiki about capture and display filters. Unfortunately the two types of filters use a completely different syntax, and different names for the same thing.

If you wanted a display filter instead of capture filter you would probably need to build an expression combining tcp.flags.ack, and tcp.flags.syn. I am far more familiar with capture filters though, so you'll have to work that out on your own.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • 1
    I like your response better. It looks like you went to an effort. Upvote for you. – Ablue Dec 31 '10 at 06:43
  • 4
    This is a great answer with good references, but please note that this syntax will capture any packets that have the SYN or ACK flags set, even if other flags are also set. This may or may not be what the OP intended. Please see my answer below for a more strict filter if only TCP SYN or ACK packets are desired. Cheers. – JJC Aug 09 '12 at 00:33
22

While @Zoredache's answer is nice and complete, note that that syntax will yield any packets that have the TCP SYN or the TCP ACK flag set, including packets which are not strictly just plain "TCP SYN" or "TCP ACK" packets, because they also have other flags set. This may or may not be what you (or future readers) intended. For example, that syntax will also capture TCP SYN-ACK packets, TCP FIN-ACK, etc. If you want only TCP SYN or TCP ACK packets (i.e. JUST one of those flags set), the proper capture filter syntax is:

'tcp[tcpflags] == tcp-syn or tcp[tcpflags] == tcp-ack'

Equivalently:

'tcp[13] == 2 or tcp[13] == 16'

Cheers!

JJC
  • 617
  • 6
  • 13
14
tcpdump 'tcp[13] = 3'

http://danielmiessler.com/study/tcpdump/

Advanced

You can also filter based on specific portions of a packet, as well as combine multiple conditions into groups. The former is useful when looking for only SYNs or RSTs, for example, and the latter for even more advanced traffic isolation.

UAP RSF

[ Hint: An anagram for the TCP flags: Unskilled Attackers Pester Real Security Folk ]

your memo: ...

Show me all URGENT (URG) packets...

tcpdump 'tcp[13] & 32 != 0'

Show me all ACKNOWLEDGE (ACK) packets...

tcpdump 'tcp[13] & 16 != 0'

Show me all PUSH (PSH) packets...

tcpdump 'tcp[13] & 8 != 0'

Show me all RESET (RST) packets...

tcpdump 'tcp[13] & 4 != 0'

Show me all SYNCHRONIZE (SYN) packets...

tcpdump 'tcp[13] & 2 != 0'

Show me all FINISH (FIN) packets...

tcpdump 'tcp[13] & 1 != 0'

Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets...

tcpdump 'tcp[13] = 18'

[Note: Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump's flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]

chrk
  • 103
  • 5
castet
  • 141
  • 1
  • 2
  • 2
    Plagarism isn't allows on [SE]. Please edit this post to make it clear that you have copied the content from the linked site. Thank you. – Chris S May 17 '13 at 19:59
9

I made a script to see the top "synners". For that, I consider only the initial syn packet (the first packet of the three packets handshake). That is, syn = 1, ack = 0

while :; do
  date; 
  tcpdump -i eth1 -n -c 100 \
  'tcp[tcpflags] & (tcp-syn) != 0' and 
  'tcp[tcpflags] & (tcp-ack) == 0' 2> /dev/null \
  | awk '{ print $3}' \
  | sort | uniq -c | sort | tail -5;
  echo;
  sleep 1
done
edward
  • 91
  • 1
  • 1
  • 5
    That's a nice example. You can simplify your tcpdump capture filter even further by replacing "'tcp[tcpflags] & (tcp-syn) != 0' and 'tcp[tcpflags] & (tcp-ack) == 0'" with just 'tcp[tcpflags] == tcp-syn'. That will automatically exclude packets with ACK set. Cheers! – JJC Aug 09 '12 at 00:36
4

I wanted to get only SYN packets myself, I used the following command:

tcpdump -i eth7 'tcp[13] & 2 != 0'

This should work for you straightaway.

jscott
  • 24,204
  • 8
  • 77
  • 99
Sidharth
  • 41
  • 1
  • 3
    This will capture any packets with the SYN flag set, including SYN, SYN-ACK, etc. If you want only SYN packets, use 'tcp[13] == 2' instead. Cheers! – JJC Aug 09 '12 at 00:34
1

it should show them without any filters or arguments.

Ablue
  • 1,140
  • 1
  • 12
  • 32
  • 1
    Your answer is technically correct, but the OP probably meant to include the word "only" in his question. ;-) Cheers! – JJC Aug 09 '12 at 00:38