Ethereal-users: Re: [ethereal-users] Filtering SYN Packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Jerry Talkington <jerryt@xxxxxxxxxx>
Date: Thu, 28 Oct 1999 12:53:52 -0700
* Roland Pabel (pabel@xxxxxxxxxxxxxxxxxxxxxx) done spit this rhetoric:
> Hi,
> I just joined this list , so please don't flame me if this question
> was posted five minutes ago.
> I would like to know a filter-rule that captures only the SYN
> Packages, so that every connection attempt could be seen.
> thx

Since ethereal uses the pcap syntax for captures (for now, at any rate),
you can use: 
tcp[13] & 2 != 0
to capture just frames that contain a SYN flag.

To only *display* packets with a SYN flag, you use:
frame[47 : 1] == 0x02

-- 
Jerry Talkington
NetCache Escalation Engineer
Network Appliance, Inc.

integration, n. 1: The act of combining various system elements so that 
		   they can crash concurrently.