How to capture tcp 3 way handshake

Question

I'm looking to capture the conversation between 2 hosts that contains the 3 way handshake. I'm not sure if this would be doable with a capture filter. Or maybe it's a display filter. I'm thinking something like: tcp.flags == 0x02 | tcp.flags == 0x10 But I don't know if this is just a display capture. It doesn't seem to be recognized in capture filter box. Or maybe the concept is to to set a display filter of tcp.flags == 0x02 | tcp.flags == 0x10 and then capture all traffic and only this syn, syn ack, or ack will be displayed.

Answer 1

You could try "tcp[13] & 2!=0" as a capture filter, which worked fine when I just tested it, at least for SYN and SYN/ACK packets. The third packet (ACK) of the handshake might be a problem because you can't just filter on ack flags - it would give you all further packets because they will probably all carry an ACK flag.

I think the other filters you mentioned are all display filters.

Answer 2

I was able to take advantage of what you said Kurt with LUA.

I think I have it working. Maybe someone can run my LUA script to capture TCP handshake.

My command to run tshark from DOS:

tshark -X lua_script:dumptofile_ack_packet.lua -i 4 -o tcp.relative_sequence_numbers:TRUE

where my interface number is 4. Run tshark -D to list interfaces.
This needs to be terminated with CTL-C

dumptofile_ack_packet.lua is LUA script as shown below

-- Create a file named ackpackets.cap (works for tshark only)
-- Dump file is created for all packets captured.
-- Display packets with a capture filter that adheres to display filter syntax 
firsttime = true
firstclose = false
setdumpers = true
dumpers = {}  
dumpfile={}
–Set filter to use as capture filter on next line
filter = "(tcp.flags == 0x02 && tcp.seq == 0) || (tcp.flags == 0x12 && tcp.seq == 0) || (tcp.flags == 0x10 && tcp.seq == 1)"  – syn ack
– tcp.flags
– 0x10 = ack
– 0x02 = syn
– 0x12 = syn ack
–first frame
–syn, seq = 0
–tcp.flags = 0x02  tcp.seq = 0
–second frame
–syn ack, seq = 0
–tcp.flags = 0x12
–tcp.seq = 0
–third frame
–ack, seq = 1
–tcp.flags = 0x10
–tcp.seq = 1
– Run tshark as shown on the following line
– tshark -X lua_script:dumptofile_ack_packet.lua -i 4 -o tcp.relative_sequence_numbers:TRUE
do
    --local dumpers = {}    
    local function init_listener()
            local tap = Listener.new(&quot;frame&quot;, filter)
            --tap = Listener.new(&quot;frame&quot;, filter)
            --A Listener, is called once for every packet that matches a certain filter or has a certain tap. 
            --It can read the tree, the packet&#39;s Tvb eventually the tapped data but it cannot add elements to the tree. 
            -- Listener.new([tap], [filter])
            -- Creates a new Listener listener
            -- tap (optional)
            --The name of this tap 
            -- filter (optional)
            --A filter that when matches the tap.packet function gets called (use nil to be called for every packet) 
            -- This case I&#39;m filtering for ip
            --Returns
            --The newly created Listener listener object

            -- we will be called once for every IP Header.
            -- If there&#39;s more than one IP header in a given packet we&#39;ll dump the packet once per every header
            function tap.packet(pinfo,tvb,ip)
            --listener.packet
            --A function that will be called once every packet matches the Listener listener filter. 
            --function tap.packet(pinfo,tvb,userdata) ... end 
            --Packet information

            --pinfo.number
            --The number of this packet in the current file
            --tvb
            --The buffer to dissect 
                    -- local means a variable local to this function

                    dumpersindex = &quot;ttt&quot;
                    local filename
                    filename =&quot;ackpackets.cap&quot;
                    --local dumpfile

                   if setdumpers == true then

                    dumpfile = dumpers[dumpersindex]
                    setdumpers = false

                   end

                    -- Saving capture files 
                    -- dumpers
                    --Dumper.new(filename, [filetype], [encap])
                    --Creates a file to write packets. Dumper:new_for_current() will probably be a better choice. 
                    --Arguments
                    --filename
                    --The name of the capture file to be created

                    --filetype (optional)
                    --The type of the file to be created

                    --encap (optional)
                    --The encapsulation to be used in the file to be created

                    -- The case below is just the file name
                    -- where dir is a variable of the directory
                    -- ip_src is a variable which was from
                    -- tap variable ip.src

                        if  firsttime == true then

                            dumpfile = Dumper.new_for_current( filename )
                           firsttime=false

                        end  -- end if  firsttime == true then

                    --dumper:dump_current()
                    --Dumps the current packet as it is

                    dumpfile:dump_current()

                    --dumper:flush()
                    --Writes all unsaved data of a dumper to the disk
                   -- dumpfile:flush()

                    --Now same for destination IP address to a seperate file

            end  -- end function tap.packet(pinfo,tvb,ip)

            --listener.draw
            --A function that will be called once every few seconds to redraw the gui objects in tshark this funtion is 
            --called oly at the very end of the capture file. function tap.draw(userdata) ... end 
            function tap.draw()

            end  -- end function tap.draw()

           function tap.reset()
           --listener.reset
           -- A function that will be called at the end of the capture run. function tap.reset(userdata) ... end

                 --   dumpers = {}
            end  -- end function tap.reset()
    end
    init_listener()

end  – do loop
dumpfile:flush()
dumper:close()

Answer 3

I'm looking to capture the conversation between 2 hosts that contains the 3 way handshake. I'm not sure if this would be doable with a capture filter.

to be specific: it's not possible to capture only the full 3-way handshake (SYN,SYN-ACK,ACK), as it's impossible to identify the single ACK in the handshake with tcpdump. The best you can achive is what Jasper suggested. This will capture the SYN and the SYN-ACK, however not the final ACK of the 3-way handshake.

The same holds true for Wireshark display filters. Even there it is not possible to capture/filter the final ACK of the 3-way handshake, without getting the rest of the communication (ACK flag set) as well.

You could do it with a Listener in Lua, but that would require some programming.

Regards
Kurt

Answer 4

You can't do this with a capture filter. Make sure Wireshark is using relative sequence numbers and then enter the following display filter:

(tcp.flags.syn==1 ) || (tcp.flags == 0x0010 && tcp.seq==1 && tcp.ack==1)

Update: Further testing shows that this display filter will display what you want most of the time, but it's not perfect. It will miss the third packet of the handshake if that packet contains data and the PSH bit is set, for example. It will also display the first packet in each direction of a TCP stream whose three-way handshake is not present in the trace file.

Answer 5

How about this one?

((tcp.flags.syn eq 1) || (tcp.seq eq 1 && tcp.ack eq 1 && frame.protocols == "eth:ip:tcp" && !tcp.flags.fin eq 1))

Requires "Relative sequence numbers" in TCP Protocol Preferences.

Answer 6

I managed to come up with a pcap filter expression that captures the whole TCP setup 3-way handshake - it relies on knowing the value for window size that will be set in the 3rd packet of the handshake. For the Linux 3.8.11-ec2 kernel servers I was capturing on, this value is 0x01c9.

The capture expression matches: any packet containing the syn flag set (first two packets of the handshake) and packets that are < 68 bytes long, have only the ack flag set and have the window size set to 0x01c9 (captures only the third packet).

The capture filter expression is therefore: "( tcp[tcpflags] & tcp-syn != 0 ) or ( tcp[tcpflags] = tcp-ack and less 68 and tcp[14:2] == 0x01c9 )"

Answer 7

what about

tcp.flags==0x2 || tcp.flags==0x12 || tcp.flags==0x10 and tcp.seq<=1 and tcp.ack<=1 and not nbss

with relative sequence numbers?

Answer 8

0

This works

((tcp.flags == 0x0002) && (tcp.seq == 0)) || ((tcp.flags == 0x0012) && (tcp.seq == 0)) || ((tcp.flags == 0x0010) && (tcp.seq == 1))

answered 12 Jun '16, 00:47

gopi1828
11●1●1●3
accept rate: 0%

it seems there are also some ACK-only packets not related to the 3-way handshake

maybe this should works better

((tcp.flags == 0x0002 || tcp.flags == 0x0012) && tcp.seq == 0) || (tcp.flags == 0x0010 && tcp.seq == 1 && tcp.ack <=1)

thanks

(13 Jun '16, 06:14) Gian Matteo ...

Both still give you too many packets in some situations, e.g. FTP data tranfers where the receiver/client doesn't send anything at all.

Check out https://blog.packet-foo.com/2015/03/advanced-display-filtering/

Also, the original question is about capture filtering, not display filtering.

(13 Jun '16, 09:47) Jasper ♦♦