Tcpdump: How to capture first two packets of tcp conversation (SYN/SYN+ACK)
Capturing only SYN (fist packet) of tcp conversation:Code:
$ sudo tcpdump -nni eth0 port 80 and tcp[13] == 2
09:26:23.044132 IP 181.210.53.36.24495 > 10.0.0.2.80: Flags [S], seq 4179562228, win 65535, options [mss 1280,nop,wscale 3,nop,nop,TS val 290512683 ecr 0,sackOK,eol], length 0
How to capture only SYN packet with tcpdump:
Code:
$ sudo tcpdump -nni eth0 port 80 and "tcp[13] == 2"
Capturing both SYN and SYN+ACK (fist two packet) of tcp conversation with tcpdump:
Code:
$ sudo tcpdump -nni eth0 port 80 and 'tcp[13] & 2 == 2'
09:24:47.052301 IP 181.210.53.36.4896 > 10.0.0.2.80: Flags [S], seq 1906016236, win 65535, options [mss 1280,nop,wscale 3,nop,nop,TS val 290511723 ecr 0,sackOK,eol], length 0
09:24:47.052347 IP 10.0.0.2.80 > 181.210.53.36.4896: Flags [S.], seq 1199622835, ack 1906016237, win 5792, options [mss 1460,sackOK,TS val 724817121 ecr 290511723,nop,wscale 6], length 0
By using this tcpdump command, you can see the TCP options like MSS, selective ACK, window scale, timestamps.
Why tcp[13] ? Because the tcp flags byte is the 13th byte in the tcp header:
Code:
0 15 31
-----------------------------------------------------------------
| source port | destination port |
-----------------------------------------------------------------
| sequence number |
-----------------------------------------------------------------
| acknowledgment number |
-----------------------------------------------------------------
| HL | rsvd |C|E|U|A|P|R|S|F| window size |
-----------------------------------------------------------------
| TCP checksum | urgent pointer |
-----------------------------------------------------------------
Starting from right to left (little endian) the SYN flag is 2^1:
Code:
| |
|---------------|
|C|E|U|A|P|R|S|F|
|---------------|
|7 5 3 0|