TCPDump syntax to packet capture only initial TCP 3-way handshak

Question

I'm needing to capture packets for a specific source device outputted to .pcap file. It sends sporadically into the BIGIP LTM so I'd like to leave a TCPDump running for 24 hours.&nbsp;
Source IP Address = 192.168.1.18Destination port = 8000
Device file transfers large data set so I do not want to include that in my capture and risk running out of space. I simply want to capture TCP 3-way handshake during initial connection.&nbsp;
I need help with TCPDump syntax to accomplish this.&nbsp;
https://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.html&nbsp;

hamish · Answer

Google is your friend here. tcpdump is a standard Unix/Linux utility. So a quick google will reveal (Among Others)
How to capture TCP SYN, ACK and FIN packets with tcpdump
And form there...
To capture only TCP SYN packets:

tcpdump -i  "tcp[tcpflags] &amp; (tcp-syn) != 0"
To capture only TCP ACK packets:

tcpdump -i  "tcp[tcpflags] &amp; (tcp-ack) != 0"
To capture only TCP FIN packets:

tcpdump -i  "tcp[tcpflags] &amp; (tcp-fin) != 0"
To capture only TCP SYN or ACK packets:

tcpdump -i  "tcp[tcpflags] &amp; (tcp-syn|tcp-ack) != 0"

So your syntax would be something like... 
tcpdump -i 0.0 -nn -p -e "host 192.168.1.18 and port 8000 and tcp[tcpflags] &amp; (tcp-syn|tcp-ack) != 0"
H

Forum Discussion

TCPDump syntax to packet capture only initial TCP 3-way handshak

1 Reply

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Tcpdump Capture

decrypted tcpdump capture without using an iRule using tshark

Decrypting BIG-IP Packet Captures without iRules

Decrypting BIG-IP Packet Captures Automatically

Automating Packet Captures on BIG-IP