As a de-facto packet capture tool, tcpdump provides powerful and flexible packet filtering capabilities. The libpcap packet capture engine which tcpdump is based upon supports standard packet filtering rules such as 5-tuple packet header based filtering (i.e., based on source/destination IP addresses/ports and IP protocol type).
The packet filtering rules of tcpdump/libpcap also supports more general packet expressions, where arbitrary byte ranges in a packet are checked with relation or binary operators. For byte range representation, you can use the following format:
proto [ expr : size ]
"proto" can be one of well-known protocols (e.g., ip, arp, tcp, udp, icmp, ipv6). "expr" represents byte offset relative to the beginning of a specified protocol header. There exist well-known byte offsets such as tcpflags, or value constants such as tcp-syn, tcp-ack or tcp-fin. "size" is optional, indicating the number of bytes to check starting from the byte offset.
Using this format, you can filter TCP SYN, ACK or FIN packets as follows.
To capture only TCP SYN packets:
To capture only TCP ACK packets:
To capture only TCP FIN packets:
To capture only TCP SYN or ACK packets:
Subscribe to Ask Xmodulo
Do you want to receive Linux related questions & answers published at Ask Xmodulo? Enter your email address below, and we will deliver our Linux Q&A straight to your email box, for free. Delivery powered by Google Feedburner.
Did you find this tutorial helpful? Then please be generous and support Xmodulo!