TCPDUMP capture new connections only

tcpdump

I am using TCPDUMP to capture traffic from specific IP address. Is there the possibility to capture new connections only, meaning TCP streams that start with SYN packet?

Thank you


Solution 1:

To capture only TCP SYN packets:

# tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn) != 0"

Solution 2:

The following will capture both TCP-SYN and SYN-ACK packets.

tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn) !=0"

The following will only capture TCP-SYN packets.

tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn) !=0 and tcp[tcpflags] & (tcp-ack) =0"

The reason is, SYN-ACK packets include both the SYN and ACK flags. The first filter only looked for the presence of a SYN flag.

If you want to filter on inbound only, add the -Q in option.

tcpdump -i <interface> -Q in "tcp[tcpflags] & (tcp-syn) !=0 and tcp[tcpflags] & (tcp-ack) =0"

Related

dist-upgrade fails on libc6 because "kernel too old"
How to handle Redis raising memory fragmentation?
ZFS stripe on top of hardware RAID 6. What could possibly go wrong?
SQL Server Reporting Services (SSRS) IP Handling on Multi-Instance Servers
Digital Ocean CentOS7 server, unable to --skip-grant-tables or restart mysql
ZFS delete snapshots with interdependencies and clones
Yum: How to show "Command Line" column in "Yum history list all" output?
systemd, per-user cpu and/or memory limits
Interpreting DHCP related message from rsyslog
HSTS and double redirect
Is it safe to run do-release-upgrade on a cloud VM?
Does RDS in private subnet inside AWS VPC need a NAT instance/gateway?