6

I'm trying to capture only TCP SYN-ACK packets, i.e. with both SYN and ACK bits set with:

tcpdump -vvvni eth0 tcp[tcpflags] == tcp-syn and tcp[tcpflags] == tcp-ack

but it gives such error:

tcpdump: expression rejects all packets

I still can't figure out if there is a way to do it through the tcpdump.

By the way, I tried to capture packets with just SYN flag set expecting there will be SYN-ACKs too (because there is no contradiction here), but there were only pure SYN packets (with only SYN bit set). So I need some way to see only SYN-ACKs, or SYNs and SYN-ACKs.

P.S. it is about regular TCP over IPv4.

Improve this question
4
  • Have you considered using a Packet Sniffer? Start with Wire Shark. I use Comm View (Tamosoft) and I can see such packets.
    – anon
    Commented Apr 15, 2020 at 16:50
  • @John Unfortunately I can't install additional soft to this particular VM. Btw is there a way to use it in terminal?
    – red0ct
    Commented Apr 15, 2020 at 16:52
  • What you are looking for is not just simple. I looked at tcpdump and did not see anything. What you want is more suited to a packet sniffer.
    – anon
    Commented Apr 15, 2020 at 16:54
  • @John tcpdump is a packet sniffer too. I don't see any complexity about logical filtering packets by bits set in header.
    – red0ct
    Commented Apr 15, 2020 at 16:58

1 Answer 1

Reset to default
6

Based on looking at the pcap-filter man page and especially the examples at the end I would suggest that the correct filter syntax to match packets which have at least both SYN and ACK are set would be:

tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn|tcp-ack

Your filter expression instead tried to match packets where the flags are equal to SYN and equal to ACK at the same time which does not work since it cannot be equal to both at the same time, but it can only contain both flags.

If you are interested in matching packets where the flags are equal to SYN+ACK and no other flags are set then you can also use the simpler syntax:

tcp[tcpflags] == tcp-syn|tcp-ack
Improve this answer
2
  • There is a need in quotes in case of syntax error near unexpected token '=='. Thanks a lot.
    – red0ct
    Commented Apr 15, 2020 at 17:04
  • 1
    @red0ct: Please make sure to properly quote the expression on the shell since it contain characters which have a special meaning for the shell. I.e. tcpdump -i eth0 -n 'tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn|tcp-ack'. "There is a need in quotes" - only if you use the filter syntax within a command on the shell. The filter itself does not need the quotes, the shell does.
    – Steffen Ullrich
    Commented Apr 15, 2020 at 17:05

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .