-1

I am using libpcap to capture packet with the following filter:

"tcp[tcpflags] & (tcp-syn) != 0 and not net 127.0.0.1"

But I actually want to get the packet only if the sender is the client (SYN-SENT).

Basically what I am trying to do is to get inform only for new connection and not multiple time for every connection.

Is there a way to do that?

Yosef
  • 3
  • 1
  • 3
  • TCP does not have clients or servers; it creates peer connections where either side can send, receive, or stop the connection. Client/Server is an application concept. – Ron Maupin Sep 04 '22 at 19:25
  • receiver is client – Yosef Sep 05 '22 at 06:33
  • With TCP, both sides can send and receive; there is no such distinction. Client/server ia an application=layer concept. _[RFC 793, Transmission Control Protocol](https://www.rfc-editor.org/rfc/rfc793)_ defines TCP and its state machine, but if you search it, there is no mention of "client" any where in it. TCP connections peer each end equally. Either end can initiate the connection, and both ends can send and receive, and either end can initiate closing the connection or send a RST to kill it if something goes wrong. TCP knows nothing of clients and servers; it is the application that does. – Ron Maupin Sep 05 '22 at 13:16

1 Answers1

1

If you only want the SYN from the client but not the SYN+ACK from the server use:

 tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172