This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TShark Command for Capturing only TCP SYN Packets?

0

Hi Everyone,

I'm attempting to baseline my network's typical SYN Requests sourced from the internet. Our organization was recently DDoS'd with a SYN Flood and my goal here is to find out what typical SYN traffic looks like so I can create a threshold on our firewall to prevent another SYN Flood attack without this configuration being detrimental to legitimate traffic.

My idea is to use TShark to do an ongoing capture starting a new file every 60 seconds the grabbing Time, Source IP, and Destination IP of ONLY SYN Requests sourced from the internet (anything NOT in RFC 1918 Subnets). Then, pump that data into a .csv so I can send it to my ELK Stack for analysis.

I am pretty unfamiliar with TShark as I typicaly use Wireshark GUI. I found something similar to what I'm looking for here

https://rudibroekhuizen.wordpress.com/2016/02/12/analyse-tshark-capture-in-kibana/

but I'm not quite sure how to write out what I need.

Can anyone offer some help?

asked 07 Apr '17, 13:37

Exiar's gravatar image

Exiar
6112
accept rate: 0%

One Answer:

1

Using tshark in this manner you'll need to specify a few things, noting that if you want to create a new file every 60 seconds you'll have to output using a capture file format, e.g. pcapng and then subsequently post-process those using tshark to output in csv format, you can't just redirect tshark "fields" out and get multiple files, the link you reference is a one-shot run of 60 seconds:

  1. The interface(s) to capture on, e.g. -i eth0
  2. The capture file options, for a new file every 60 seconds use -b duration:60
  3. The output file, for ringbuffer use -w basefilename.pcapng, each new file created will add a suffix to the basename
  4. The capture filter, something like "tcp[tcpflags] & (tcp-syn) == tcp-syn and not (src net (10 or 172.16/12 or 192.168/16) and dst net (10 or 172.16/12 or 192.168/16))". You may or may not need to quote this depending on your shell.

Then post-process those files with something like tshark -r filename.pcapng -T fields -e frame.time -e ip.src -e ip.dst > filename.csv using the scripting language of choice to loop over all the files providing the "filename" part of the command.

answered 07 Apr '17, 16:32

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 08 Apr '17, 11:16