This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to capture only SYN frames

0

I have been working at a client site where i am only interested in capturing SYN frames. I was unable to locate any way to set a capture filter that would accomplish this task. I was wondering if there is a way to capture using offset to the point where the TCP SYN flag is...?

In display filter, I was able to set a filter "flags.tcp.syn", but for some reason, it did not show me only syn frames but alot of what looked like PSH ACK frames as well.

Thanks for any advice or recommendations on how to capture just the SYN frames.

kmnruser

asked 22 Sep '10, 11:36

kmnruser's gravatar image

kmnruser
26668
accept rate: 0%


One Answer:

1

The filter "tcp.flags.syn" will select all the frames that have the flag tcp.flags.syn, which will be every TCP packet. What you want to filter on is "tcp.flags.syn==1" to make sure you only select the frames which have the SYN bit set. You might even want to add "... and tcp.flags.ack==0" to make sure you only select the SYN packets and not the SYN/ACK packets.

Now, back to the capture filter. You can use the filter "tcp[0xd]&2=2" which will capture all the frames with the SYN bit set (SYN as well as SYN/ACK). Or use "tcp[0xd]&18=2" to capture only SYN packets.

answered 22 Sep '10, 11:55

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 15 Feb '11, 12:10

SYNbit
Thanks for the great response! Those filters are exactly what I need, and it goes without say that they will make life easier moving forward. Awesome answer! KMNRUser

(22 Sep '10, 15:06) kmnruser

I think the correct filter for SYNs and SYN/ACKs is "tcp[0xd]&2=2"

(15 Feb '11, 12:02) BusiPlay

You're absolutely right. I will change it, thanks!

(15 Feb '11, 12:10) SYN-bit ♦♦