tcpdump capture new connections only

Question

I am using tcpdump to capture traffic from specific IP address. Is there the possibility to capture new connections only, meaning TCP streams that start with SYN packet?

score 9 · Answer 1 · answered Aug 24 '16 at 06:57

9

To capture only TCP SYN packets:

# tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn) != 0"

answered Aug 24 '16 at 06:57

pstrozniak

117

score 4 · Answer 2 · answered Jan 24 '20 at 21:21

The following will capture both TCP-SYN and SYN-ACK packets.

tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn) !=0"

The following will only capture TCP-SYN packets.

tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn) !=0 and tcp[tcpflags] & (tcp-ack) =0"

The reason is, SYN-ACK packets include both the SYN and ACK flags. The first filter only looked for the presence of a SYN flag.

If you want to filter on inbound only, add the -Q in option.

tcpdump -i <interface> -Q in "tcp[tcpflags] & (tcp-syn) !=0 and tcp[tcpflags] & (tcp-ack) =0"

tcpdump capture new connections only

2 Answers2