For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

James_Smith_299's avatar
James_Smith_299
Icon for Nimbostratus rankNimbostratus
Nov 22, 2016

TCPDump syntax to packet capture only initial TCP 3-way handshak

I'm needing to capture packets for a specific source device outputted to .pcap file. It sends sporadically into the BIGIP LTM so I'd like to leave a TCPDump running for 24 hours.

 

  • Source IP Address = 192.168.1.18
  • Destination port = 8000

Device file transfers large data set so I do not want to include that in my capture and risk running out of space. I simply want to capture TCP 3-way handshake during initial connection.

 

I need help with TCPDump syntax to accomplish this.

 

https://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.html

 

application delivery
BIG-IP
TMSH

1 Reply

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Nov 22, 2016

    Google is your friend here. tcpdump is a standard Unix/Linux utility. So a quick google will reveal (Among Others)

    How to capture TCP SYN, ACK and FIN packets with tcpdump

    And form there...

    To capture only TCP SYN packets:

 tcpdump -i  "tcp[tcpflags] & (tcp-syn) != 0"
To capture only TCP ACK packets:

 tcpdump -i  "tcp[tcpflags] & (tcp-ack) != 0"
To capture only TCP FIN packets:

 tcpdump -i  "tcp[tcpflags] & (tcp-fin) != 0"
To capture only TCP SYN or ACK packets:

 tcpdump -i  "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

    So your syntax would be something like...

    tcpdump -i 0.0 -nn -p -e "host 192.168.1.18 and port 8000 and tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

    H