I have been working at a client site where i am only interested in capturing SYN frames. I was unable to locate any way to set a capture filter that would accomplish this task. I was wondering if there is a way to capture using offset to the point where the TCP SYN flag is...?
In display filter, I was able to set a filter "flags.tcp.syn", but for some reason, it did not show me only syn frames but alot of what looked like PSH ACK frames as well.
Thanks for any advice or recommendations on how to capture just the SYN frames.
asked 22 Sep '10, 11:36
The filter "tcp.flags.syn" will select all the frames that have the flag tcp.flags.syn, which will be every TCP packet. What you want to filter on is "tcp.flags.syn==1" to make sure you only select the frames which have the SYN bit set. You might even want to add "... and tcp.flags.ack==0" to make sure you only select the SYN packets and not the SYN/ACK packets.
Now, back to the capture filter. You can use the filter "tcp[0xd]&2=2" which will capture all the frames with the SYN bit set (SYN as well as SYN/ACK). Or use "tcp[0xd]&18=2" to capture only SYN packets.
answered 22 Sep '10, 11:55
edited 15 Feb '11, 12:10