This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter TCP SYN scan from pcap file?

0

Hello,

I want to filter only the SYN packets from TCP SYN scan (both for open ports(SYN->SYN/ACK->RST) and closed ports(SYN->RST/ACK)) from a pcap file.

I have written a following script to do the same and it seems working for me.

for stream in `tshark -nr  capture.pcap -Y "(ip.dst==192.68.167.00/24 && tcp.seq==1 && tcp.flags.reset==1 && tcp.flags.ack==0)||(tcp.flags.reset==1 && tcp.flags.ack==1 && tcp.ack==1)" -T fields -e tcp.stream | sort -n | uniq`

do
tshark -r capture.pcap -w ./portscans/stream_$stream.pcap -Y "ip.dst==192.68.167.00/24 && tcp.seq==0 && tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.stream eq $stream"
done

But the above script is taking hell out of time to run it.. It is taking more than a day to filter out packets from a 150MB pcap file.

Can someone suggest me any other method to do the same(with tshark or snort)?

asked 17 Feb ‘17, 04:35

subinjp's gravatar image

subinjp
417713
accept rate: 0%

edited 17 Feb ‘17, 04:42

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

0

For starters you could see if you can apply the 'in' operator to tcp.stream, to get an expression like 'tcp.stream in { n m ...}', where n and m are stream numbers collected before. Although that would give you one single output file, so you may have to split that up afterwards.

answered 17 Feb '17, 08:08

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

@jaap Thanks for your reply. In fact I dont want to split packets in to different files. But I did not get what do you mean by it? Could you write the script below or describe it little more?

(17 Feb '17, 08:17) subinjp