How to capture ack or syn packets by Tcpdump?

The pcap filter syntax used for tcpdump should work exactly the same way on wireshark capture filter.

With tcpdump I would use a filter like this.

tcpdump "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

Check out the tcpdump man page, and pay close attention to the tcpflags.

Be sure to also check out the sections in the Wireshark Wiki about capture and display filters. Unfortunately the two types of filters use a completely different syntax, and different names for the same thing.

If you wanted a display filter instead of capture filter you would probably need to build an expression combining tcp.flags.ack, and tcp.flags.syn. I am far more familiar with capture filters though, so you'll have to work that out on your own.

• http://wiki.wireshark.org/DisplayFilters
  • Display filter ref: http://www.wireshark.org/docs/dfref/
  • TCP display ref: http://www.wireshark.org/docs/dfref/t/tcp.html
• http://wiki.wireshark.org/CaptureFilters

While @Zoredache's answer is nice and complete, note that that syntax will yield any packets that have the TCP SYN or the TCP ACK flag set, including packets which are not strictly just plain "TCP SYN" or "TCP ACK" packets, because they also have other flags set. This may or may not be what you (or future readers) intended. For example, that syntax will also capture TCP SYN-ACK packets, TCP FIN-ACK, etc. If you want only TCP SYN or TCP ACK packets (i.e. JUST one of those flags set), the proper capture filter syntax is:

'tcp[tcpflags] == tcp-syn or tcp[tcpflags] == tcp-ack'

Equivalently:

'tcp[13] == 2 or tcp[13] == 16'

Cheers!