The syntax for tcpdump filters is pretty easy to understand, until you come to the part about filtering on specific TCP flags, like SYN, ACK, RST, and so forth. Then, it goes all bizarre. How do you know what to use?
The tcpdump manpage tells how to calculate the correct values for TCP flags. You are welcome to study it and learn how to figure them out from scratch. Or, you can copy them from here.
Capture all SYN packets:
# tcpdump 'tcp[13] & 2 != 0'Capture all ACK packets:
# tcpdump 'tcp[13] & 16 != 0'Capture all SYN-ACK packets:
# tcpdump 'tcp[13] = 18'Capture all FIN packets:
# tcpdump 'tcp[13] & 1 != 0' # tcpdump 'tcp[13] & 32 != 0'Capture all PSH packets:
# tcpdump 'tcp[13] & 8 != 0'Capture all RST packets:
# tcpdump 'tcp[13] & 4 != 0'These may be combined with other filtering options such as ports, hosts,and networks, just like in the previous recipe.
There are several scenarios where you'll want to look for
certain TCP flags, such as when you're investigating suspicious
activity, or having problems with misconfigured services sending the
wrong responses. Another way to do this sort of filtering is to
capture a lot of data with minimal filtering and dump it to a file
with the -w switch, then examine
the file in Wireshark. Then, you'll be able to filter the same set of
data several different ways without having to get a new capture each
time.
Using Wireshark to analyze and filter a tcpdump capture is probably the most flexible and powerful method available. Figure 19-2 shows my favorite feature, Follow TCP Stream. This lets you pluck out a single TCP stream from all the masses of data you've collected. Wireshark supports all the same filters as tcpdump, and has lots of nice graphical menus to help you put them together.
You may prefer to use Wireshark in place of tcpdump entirely. If you're running any headless boxes or servers without X Windows, you'll still want to know how to use tcpdump.
man 8 tcpdumpWireshark: http://www.wireshark.org/
Wireshark's included Help pages