I am trying to capture 3-way handshake using the following in linux, it does not seems to work...
sudo tcpdump "tcp[tcpflags] & (tcp-syn) !=0" -w filename.pcap -i eth0
Could you someone suggest me an edit to it??
Asked
Active
Viewed 1,855 times
1 Answers
1
Might be tough capture only the three way handshake. So a traditional three way handshake would be a SYN packet, a SYN/ACK packet to acknowledge the original SYN, and then an ACK to acknowledge that SYN/ACK. From a filtering standpoint, you probably could capture the second part of the three way handshake with a (tcp-syn&tcp-ack), but that third ACK would be hard to filter out from all the other normal ACK packets sent during a TCP conversation.
In this case, I would probably just do a far simplier filter to capture the whole conversation (maybe avoid the whole packet to keep size in line), and then just use wireshark (or tcpdump itself) to see the three way handshake. So something like
sudo tcpdump -s 32 -w filename.pcap -i eth0
SteveM
- 919
- 4
- 6