Advanced TCP Filtering: Capturing Only SYN/ACK Packets with tcpdump


4 views

When working with network analysis, capturing specific TCP control packets is crucial for debugging connection issues. The TCP three-way handshake involves:

1. SYN → (Client initiates connection)
2. SYN-ACK ← (Server acknowledges)
3. ACK → (Client confirms)

The correct BPF (Berkeley Packet Filter) syntax to isolate these packets is:

tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0'

For more granular control:

# Capture only SYN packets
tcpdump -i any 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack = 0'

# Capture only ACK packets
tcpdump -i eth1 'tcp[tcpflags] & tcp-ack != 0 and tcp[tcpflags] & tcp-syn = 0'

# Combined SYN-ACK packets (server responses)
tcpdump -nnvXSs 0 'tcp[13] = 18'

When analyzing specific host traffic:

tcpdump -i enp0s3 'host 192.168.1.100 and (tcp[tcpflags] & (tcp-syn|tcp-ack) != 0)'

# Port-specific capture
tcpdump -i eth0 'port 443 and tcp[13] & 18 == 18'

A sample SYN-ACK packet shows these key fields:

Flags [S.] (SYN-ACK)
seq 1234567890
ack 1234567891
win 65535
options [mss 1460]

For high-traffic interfaces, add these optimizations:

tcpdump -i eth0 -s 96 -w syn_ack.pcap 'tcp[13] & 18 == 18' 
# -s 96 captures only headers
# -w saves to file for later analysis

If filters aren't working:

  1. Verify interface name with tcpdump -D
  2. Check for VLAN tags needing adjustment
  3. Try -vvv for verbose decoding

When debugging network connections or analyzing handshakes, you often need to isolate specific TCP control packets. The SYN (synchronize) and ACK (acknowledge) flags are particularly important for connection establishment:

SYN = 0x02 (2 in decimal)
ACK = 0x10 (16 in decimal)

To capture only packets with SYN or ACK flags set, use this BPF filter:

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0'

Alternatively, you can use the more explicit version:

tcpdump 'tcp[13] & 18 != 0'
# Capture SYN/ACK packets on eth0 and save to file
tcpdump -i eth0 'tcp[13] & 18 != 0' -w syn_ack.pcap

# Monitor live SYNs and ACKs with verbose output
tcpdump -nnv 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0'

Combine with other filters for precise captures:

# Capture SYN/ACK packets to/from specific port
tcpdump 'tcp[13] & 18 != 0 and port 443'

# Filter by IP and flags
tcpdump 'host 192.168.1.100 and tcp[13] & 18 != 0'

Sample output explanation:

12:34:56.789 IP 192.168.1.1.42351 > 10.0.0.1.80: Flags [S], seq 12345
12:34:56.790 IP 10.0.0.1.80 > 192.168.1.1.42351: Flags [S.], seq 67890, ack 12346

[S] indicates SYN packet, [S.] indicates SYN-ACK (both SYN and ACK flags set).

If filters don't work as expected:
- Verify interface permissions with sudo
- Check for NIC promiscuous mode support
- Test with -vv for detailed parsing information