The pcap filter syntax used for tcpdump should work exactly the same way on wireshark capture filter.
With tcpdump I would use a filter like this.
tcpdump "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"
Check out the tcpdump man page, and pay close attention to the tcpflags.
Be sure to also check out the sections in the Wireshark Wiki about capture and display filters. Unfortunately the two types of filters use a completely different syntax, and different names for the same thing.
If you wanted a display filter instead of capture filter you would probably need to build an expression combining tcp.flags.ack, and tcp.flags.syn. I am far more familiar with capture filters though, so you'll have to work that out on your own.
While @Zoredache's answer is nice and complete, note that that syntax will yield any packets that have the TCP SYN or the TCP ACK flag set, including packets which are not strictly just plain "TCP SYN" or "TCP ACK" packets, because they also have other flags set. This may or may not be what you (or future readers) intended. For example, that syntax will also capture TCP SYN-ACK packets, TCP FIN-ACK, etc. If you want only TCP SYN or TCP ACK packets (i.e. JUST one of those flags set), the proper capture filter syntax is:
'tcp[tcpflags] == tcp-syn or tcp[tcpflags] == tcp-ack'
You can also filter based on specific portions of a packet, as well as combine multiple conditions into groups. The former is useful when looking for only SYNs or RSTs, for example, and the latter for even more advanced traffic isolation.
UAP RSF
[ Hint: An anagram for the TCP flags: Unskilled Attackers Pester Real Security Folk ]
your memo: ...
Show me all URGENT (URG) packets...
tcpdump 'tcp[13] & 32 != 0'
Show me all ACKNOWLEDGE (ACK) packets...
tcpdump 'tcp[13] & 16 != 0'
Show me all PUSH (PSH) packets...
tcpdump 'tcp[13] & 8 != 0'
Show me all RESET (RST) packets...
tcpdump 'tcp[13] & 4 != 0'
Show me all SYNCHRONIZE (SYN) packets...
tcpdump 'tcp[13] & 2 != 0'
Show me all FINISH (FIN) packets...
tcpdump 'tcp[13] & 1 != 0'
Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets...
tcpdump 'tcp[13] = 18'
[Note: Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump's flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]
I made a script to see the top "synners".
For that, I consider only the initial syn packet (the first packet of the three packets handshake). That is, syn = 1, ack = 0
The pcap filter syntax used for tcpdump should work exactly the same way on wireshark capture filter.
With tcpdump I would use a filter like this.
Check out the tcpdump man page, and pay close attention to the tcpflags.
Be sure to also check out the sections in the Wireshark Wiki about capture and display filters. Unfortunately the two types of filters use a completely different syntax, and different names for the same thing.
If you wanted a display filter instead of capture filter you would probably need to build an expression combining tcp.flags.ack, and tcp.flags.syn. I am far more familiar with capture filters though, so you'll have to work that out on your own.
While @Zoredache's answer is nice and complete, note that that syntax will yield any packets that have the TCP SYN or the TCP ACK flag set, including packets which are not strictly just plain "TCP SYN" or "TCP ACK" packets, because they also have other flags set. This may or may not be what you (or future readers) intended. For example, that syntax will also capture TCP SYN-ACK packets, TCP FIN-ACK, etc. If you want only TCP SYN or TCP ACK packets (i.e. JUST one of those flags set), the proper capture filter syntax is:
Equivalently:
Cheers!
http://danielmiessler.com/study/tcpdump/
Advanced
You can also filter based on specific portions of a packet, as well as combine multiple conditions into groups. The former is useful when looking for only
SYNs orRSTs, for example, and the latter for even more advanced traffic isolation.UAP RSF
[ Hint: An anagram for the TCP flags: Unskilled Attackers Pester Real Security Folk ]
your memo: ...
Show me all URGENT (
URG) packets...Show me all ACKNOWLEDGE (
ACK) packets...Show me all PUSH (
PSH) packets...Show me all RESET (
RST) packets...Show me all SYNCHRONIZE (
SYN) packets...Show me all FINISH (
FIN) packets...Show me all SYNCHRONIZE/ACKNOWLEDGE (
SYNACK) packets...[Note: Only the
PSH,RST,SYN, andFINflags are displayed in tcpdump's flag field output.URGs andACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]I made a script to see the top "synners". For that, I consider only the initial syn packet (the first packet of the three packets handshake). That is, syn = 1, ack = 0
I wanted to get only SYN packets myself, I used the following command:
tcpdump -i eth7 'tcp[13] & 2 != 0'This should work for you straightaway.
it should show them without any filters or arguments.