Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides
Register
FAQ
It is currently Wed Dec 06, 2023 9:23 am

ROOT ‹ FreeBSD, Linux and AIX ‹ TCP/IP Networking ‹ Tcpdump: How to capture first two packets of tcp conversation (SYN/SYN+ACK)

Internet Protocol, Transport Control Protocol, Network protocols, Routing, Routers, IP aliases, Routes, Ethernet

Post a reply

Tcpdump: How to capture first two packets of tcp conversation (SYN/SYN+ACK)

« Previous topic | Next topic »
Author Message
debuser
  Post  Post subject: Tcpdump: How to capture first two packets of tcp conversation (SYN/SYN+ACK)  |  Posted: Wed Jun 13, 2012 5:32 am

Joined: Thu Aug 06, 2009 2:48 am
Posts: 105

Offline
 

Tcpdump: How to capture first two packets of tcp conversation (SYN/SYN+ACK)

Capturing only SYN (fist packet) of tcp conversation:
Code:
$ sudo tcpdump -nni eth0 port 80 and tcp[13] == 2

09:26:23.044132 IP 181.210.53.36.24495 > 10.0.0.2.80: Flags [S], seq 4179562228, win 65535, options [mss 1280,nop,wscale 3,nop,nop,TS val 290512683 ecr 0,sackOK,eol], length 0


How to capture only SYN packet with tcpdump:


Code:
$ sudo tcpdump -nni eth0 port 80 and "tcp[13] == 2"

Capturing both SYN and SYN+ACK (fist two packet) of tcp conversation with tcpdump:


Code:
$ sudo tcpdump -nni eth0 port 80 and 'tcp[13] & 2 == 2'
09:24:47.052301 IP 181.210.53.36.4896 > 10.0.0.2.80: Flags [S], seq 1906016236, win 65535, options [mss 1280,nop,wscale 3,nop,nop,TS val 290511723 ecr 0,sackOK,eol], length 0
09:24:47.052347 IP 10.0.0.2.80 > 181.210.53.36.4896: Flags [S.], seq 1199622835, ack 1906016237, win 5792, options [mss 1460,sackOK,TS val 724817121 ecr 290511723,nop,wscale 6], length 0


By using this tcpdump command, you can see the TCP options like MSS, selective ACK, window scale, timestamps.

Why tcp[13] ? Because the tcp flags byte is the 13th byte in the tcp header:

Code:
        0                            15                              31
       -----------------------------------------------------------------
       |          source port          |       destination port        |
       -----------------------------------------------------------------
       |                        sequence number                        |
       -----------------------------------------------------------------
       |                     acknowledgment number                     |
       -----------------------------------------------------------------
       |  HL   | rsvd  |C|E|U|A|P|R|S|F|        window size            |
       -----------------------------------------------------------------
       |         TCP checksum          |       urgent pointer          |
       -----------------------------------------------------------------



Starting from right to left (little endian) the SYN flag is 2^1:
Code:
                       |               |
                       |---------------|
                       |C|E|U|A|P|R|S|F|
                       |---------------|
                       |7   5   3     0|



Top
Display posts from previous:  Sort by  
 E-mail friendPrint view
Post a reply

Topics related to - "Tcpdump: How to capture first two packets of tcp conversation (SYN/SYN+ACK)"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. TCP ack after two packets

MichaM

2

2844

Tue Dec 13, 2016 10:04 am

humdrum View the latest post

There are no new unread posts for this topic. FreeBSD list the outgoing interface for packets to a specific IP destination

mandrei99

0

2951

Mon Jul 22, 2013 10:12 am

mandrei99 View the latest post

There are no new unread posts for this topic. Linux list the outgoing interface for packets to a specific IP destination

mandrei99

0

3303

Mon Jul 22, 2013 10:17 am

mandrei99 View the latest post

There are no new unread posts for this topic. Sendip packet crafting tool: How to send bad checksum TCP packets

mandrei99

2

4453

Wed Apr 15, 2015 2:02 am

lizamare View the latest post

There are no new unread posts for this topic. FreeBSD tcpdump on enc0 doesn't show any traffic

mandrei99

0

3762

Fri Jun 21, 2013 8:54 am

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 1 guest
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
cronNews News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


ROOT ‹ FreeBSD, Linux and AIX ‹ TCP/IP Networking
Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO