Capture only TCP SYN-ACK packets with tcpdump

linux networking tcp tcpdump

5,712

Based on looking at the pcap-filter man page and especially the examples at the end I would suggest that the correct filter syntax to match packets which have at least both SYN and ACK are set would be:

tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn|tcp-ack

Your filter expression instead tried to match packets where the flags are equal to SYN and equal to ACK at the same time which does not work since it cannot be equal to both at the same time, but it can only contain both flags.

If you are interested in matching packets where the flags are equal to SYN+ACK and no other flags are set then you can also use the simpler syntax:

tcp[tcpflags] == tcp-syn|tcp-ack

5,712

red0ct

linux-kernel, networking, c-programming, perl-scripting I don't like to down vote.

Updated on September 18, 2022

Comments

red0ct over 1 year
I'm trying to capture only TCP SYN-ACK packets, i.e. with both SYN and ACK bits set with:
```
tcpdump -vvvni eth0 tcp[tcpflags] == tcp-syn and tcp[tcpflags] == tcp-ack
```
but it gives such error:
```
tcpdump: expression rejects all packets
```
I still can't figure out if there is a way to do it through the tcpdump.

By the way, I tried to capture packets with just SYN flag set expecting there will be SYN-ACKs too (because there is no contradiction here), but there were only pure SYN packets (with only SYN bit set). So I need some way to see only SYN-ACKs, or SYNs and SYN-ACKs.

P.S. it is about regular TCP over IPv4.
- John about 4 years
  
  Have you considered using a Packet Sniffer? Start with Wire Shark. I use Comm View (Tamosoft) and I can see such packets.
- red0ct about 4 years
  
  @John Unfortunately I can't install additional soft to this particular VM. Btw is there a way to use it in terminal?
- John about 4 years
  
  What you are looking for is not just simple. I looked at tcpdump and did not see anything. What you want is more suited to a packet sniffer.
- red0ct about 4 years
  
  @John tcpdump is a packet sniffer too. I don't see any complexity about logical filtering packets by bits set in header.
red0ct about 4 years

There is a need in quotes in case of syntax error near unexpected token '=='. Thanks a lot.
Steffen Ullrich about 4 years

@red0ct: Please make sure to properly quote the expression on the shell since it contain characters which have a special meaning for the shell. I.e. tcpdump -i eth0 -n 'tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn|tcp-ack'. "There is a need in quotes" - only if you use the filter syntax within a command on the shell. The filter itself does not need the quotes, the shell does.