Forum Discussion

James_Smith_299's avatar
James_Smith_299
Icon for Nimbostratus rankNimbostratus
Nov 22, 2016

TCPDump syntax to packet capture only initial TCP 3-way handshak

I'm needing to capture packets for a specific source device outputted to .pcap file. It sends sporadically into the BIGIP LTM so I'd like to leave a TCPDump running for 24 hours.   Source IP Addr...
application delivery
BIG-IP
TMSH
Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Nov 22, 2016

Google is your friend here. tcpdump is a standard Unix/Linux utility. So a quick google will reveal (Among Others)

How to capture TCP SYN, ACK and FIN packets with tcpdump

And form there...

To capture only TCP SYN packets:

 tcpdump -i  "tcp[tcpflags] & (tcp-syn) != 0"
To capture only TCP ACK packets:

 tcpdump -i  "tcp[tcpflags] & (tcp-ack) != 0"
To capture only TCP FIN packets:

 tcpdump -i  "tcp[tcpflags] & (tcp-fin) != 0"
To capture only TCP SYN or ACK packets:

 tcpdump -i  "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

So your syntax would be something like...

tcpdump -i 0.0 -nn -p -e "host 192.168.1.18 and port 8000 and tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

H