tcpdump capture new connections only

Question

I am using tcpdump to capture traffic from specific IP address. Is there the possibility to capture new connections only, meaning TCP streams that start with SYN packet?

Unfortunately not. tcpdump just captures packets as they arrive, it does not maintain any kind of session information to differentiate between TCP streams. You would need to analyse the capture in Wireshark if you want to separate streams (you can order by stream number for example). — Mark Riddell, Aug 24 '16 at 06:57
Be carefull, SYN bit is set in the two first packets of the TCP 3-Way Handshake. So, this filter will match all the new attempts to establish connections, not just the newly established connections. If somehow (software rule) the connection is not accepted it will also be shown. — Angel, Dec 02 '17 at 08:36

score 9 · Answer 1 · answered Aug 24 '16 at 06:57

9

To capture only TCP SYN packets:

# tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn) != 0"

answered Aug 24 '16 at 06:57

pstrozniak

117
3

3

That will not capture all traffic for a new session. It will only capture SYN packets. – user5870571 Aug 25 '16 at 02:26

score 3 · Answer 2 · answered Jan 24 '20 at 21:21

The following will capture both TCP-SYN and SYN-ACK packets.

tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn) !=0"

The following will only capture TCP-SYN packets.

tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn) !=0 and tcp[tcpflags] & (tcp-ack) =0"

The reason is, SYN-ACK packets include both the SYN and ACK flags. The first filter only looked for the presence of a SYN flag.

If you want to filter on inbound only, add the -Q in option.

tcpdump -i <interface> -Q in "tcp[tcpflags] & (tcp-syn) !=0 and tcp[tcpflags] & (tcp-ack) =0"

tcpdump capture new connections only

2 Answers2