0

I'd like to use tcpdump with a filter for some long-running debugging. Specifically, I only want to capture packets with the following conditions:

  • First 10 packets or so of a new TCP connection (including handshake)
  • Anything odd (retransmissions, duplicate ACK, etc.)
  • Anything indicating a disconnection (FIN, RST, anything else)

The part I'm stuck on is the first X number of packets. Is it possible to write a PCAP filter for tcpdump (or similar tool) to do this? If so, how?

Brad
  • 1,389
  • 20
  • 43
  • I think Wireshark is going to be a better tool for this task than tcpdump. – kasperd Feb 27 '16 at 09:01
  • @kasperd Don't they use the same capture filters? I'll be doing the analysis later in Wireshark, but I need to debug issues around disconnections for many connections that send gigs of traffic each. I'd quickly run out of disk space (assuming the disk could even keep up) if I capture everything. I was hoping to find a way to filter the pcap as I go. – Brad Feb 27 '16 at 16:50
  • I was considering the display filters in Wireshark. But given those additional requirements, I don't think Wireshark will solve the problem for you. You should update the question to include your concern about the amount of data. That is quite relevant to the question. – kasperd Feb 27 '16 at 16:54

1 Answers1

3

The part I'm stuck on is the first X number of packets. Is it possible to write a PCAP filter for tcpdump (or similar tool) to do this?

No. Pcap filters are "stateless", meaning that they act on each packet independently of previous packets, and have no "state" (or memory) that remains available from packet to packet; the number of packets seen would be a form of state, and there's nothing of that sort that you can check in a pcap filter.

Retransmissions and duplicate ACKs would also require state to recognize, i.e. you'd have to remember the first transmission to check for retransmissions and remember the first ACK to check for duplicate ACKs.