How to select syn packets going to given destination port with tcpdump

Question

I'm trying to capture syn packets going to a given destination port with tcpdump with the following command :

tcpdump dst port 80 "(tcp-syn) !=0"

but it says

tcp: syntax error

Any idea how to select those two filters ?

score 3 · Accepted Answer · answered Jul 27 '16 at 12:38

3

There are two problems with your command:

You're missing logical operator and between port and packet type
tcp-syn is a constant - because of this the comparison in quotes is always true.

This should behave correctly:

tcpdump dst port 80 and "tcp[tcpflags] & tcp-syn != 0"

answered Jul 27 '16 at 12:38

Marek Rost

yeah I found that out thanks, can you take a look at another thread maybe you could help me http://unix.stackexchange.com/questions/298619/why-tcpdump-captures-many-packets-with-tcp-syn-0-but-not-with-tcptcpfla – ChiseledAbs Jul 27 '16 at 12:41

1 Answers1