tcpdump allows you to filter traffic based on various TCP flags that control connection behavior. These flags are critical in managing the flow of TCP connections, such as establishing, maintaining, and closing connections.
Common TCP Flags
Here’s a list of the common TCP flags that you can filter with tcpdump:
| Flag | Description |
|---|---|
tcp-syn | SYN: Initiates a connection (TCP handshake) |
tcp-ack | ACK: Acknowledges received data |
tcp-fin | FIN: Indicates graceful connection termination |
tcp-rst | RST: Resets a connection (unexpected termination) |
tcp-push | PUSH: Pushes data to the application layer immediately |
tcp-urg | URG: Marks urgent data in the packet |
tcp-ece | ECE: Explicit Congestion Notification Echo (part of congestion control) |
tcp-cwr | CWR: Congestion Window Reduced (signals a reduced window size) |
tcp-ns | NS: Nonce Sum (used in ECN to prevent replay attacks) |
How to Filter by TCP Flags
You can use the tcp[tcpflags] syntax in tcpdump to filter traffic by specific TCP flags. Below are a few common examples:
-
SYN flag: Captures connection initiation attempts.
tcpdump 'tcp[tcpflags] == tcp-syn' -
ACK flag: Captures acknowledged packets (normal communication).
tcpdump 'tcp[tcpflags] == tcp-ack' -
FIN flag: Captures connection termination attempts.
tcpdump 'tcp[tcpflags] == tcp-fin' -
SYN+ACK flags: Captures the packets used during the TCP handshake.
tcpdump 'tcp[tcpflags] == tcp-syn+tcp-ack' -
URG flag: Captures packets with urgent data.
tcpdump 'tcp[tcpflags] == tcp-urg'
Combining Multiple Flags
You can also combine flags using the + operator. For example, to capture packets with both SYN and ACK flags set (commonly during the initial handshake), you can use:
tcpdump 'tcp[tcpflags] == tcp-syn+tcp-ack'You can also exclude certain flags using the not operator. For example, to capture packets without the RST flag:
tcpdump 'not tcp[tcpflags] == tcp-rst'