Ethereal-users: Re: [ethereal-users] Filtering SYN Packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Gilbert Ramirez <gram@xxxxxxxxxx>
Date: Thu, 28 Oct 1999 14:55:41 -0500
On Thu, Oct 28, 1999 at 02:37:57PM -0500, Roland Pabel wrote:
> 
> 
> Hi,
> I just joined this list , so please don't flame me if this question
> was posted five minutes ago.
> I would like to know a filter-rule that captures only the SYN
> Packages, so that every connection attempt could be seen.
> thx
> Roland

The capture filters use libpcap filters which are documented in
the tcpdump manpage.

In that manpage, this example is given:

       To print the start and end packets (the SYN and FIN  pack-
       ets)  of  each  TCP conversation that involves a non-local
       host.

              tcpdump 'tcp[13] & 3 != 0 and not src and dst net localnet'

They're using '3' as the bitmask. Bit 0 is FIN, bit 1 is SYN.
So, the libpcap filter for capturing only SYN packets should be:

	tcp[13] & 2 != 0

--gilbert