Capturing TCP Flags with tcpdump. Capture ACK or SYN packets

ABOUT TCP FLAGS

They are control bits that indicate different connection states or information about how a packet should be handled.

FLAGS

CWR – Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECE flag set (added to header by RFC 3168).
ECE (ECN-Echo) – indicate that the TCP peer is ECN capable during 3-way handshake (added to header by RFC 3168).
URG – indicates that the URGent pointer field is significant
ACK – indicates that the ACKnowledgment field is significant (Sometimes abbreviated by tcpdump as “.”)
PSH – Push function
RST – Reset the connection (Seen on rejected connections)
SYN – Synchronize sequence numbers (Seen on new connections)
FIN – No more data from sender (Seen after a connection is closed)

TYPICAL COMMAND LINE SESSION (output formatted to cut a single long line into two)
[bash]
$sudo tcpdump -XX "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:08:02.921549 IP debian.local.56418 > 192.0.78.23.https: Flags [.], ack 3664749642, win 501, length 0
0x0000: 0cd2 b591 a80b 6814 0107 361f 0800 4500 ……h…6…E.
0x0010: 0028 3a09 4000 4006 3101 c0a8 0106 c000 .(:.@.@.1…….
0x0020: 4e17 dc62 01bb 200d 551f da6f a44a 5010 N..b….U..o.JP.
0x0030: 01f5 0c15 0000 ……
22:08:02.959138 IP 192.0.78.23.https > debian.local.56418: Flags [.], ack 1, win 78, length 0
0x0000: 6814 0107 361f 0cd2 b591 a80b 0800 4500 h…6………E.
0x0010: 0028 b2cf 4000 3906 bf3a c000 4e17 c0a8 .(..@.9..:..N…
0x0020: 0106 01bb dc62 da6f a44a 200d 5520 5010 …..b.o.J..U.P.
0x0030: 004e 0dbb 0000 .N….
^C22:08:03.227185 IP debian.local.56024 > 182.79.251.94.https: Flags [P.], seq 2644787003:2644788130, ack
4261478870, win 7206, options [nop,nop,TS val 358601242 ecr 4159929275], length 1127
0x0000: 0cd2 b591 a80b 6814 0107 361f 0800 4500 ……h…6…E.
0x0010: 049b 4e0c 4000 4006 74f4 c0a8 0106 b64f ..N.@.@.t……O
0x0020: fb5e dad8 01bb 9da4 3f3b fe01 01d6 8018 .^……?;……
0x0030: 1c26 8f4b 0000 0101 080a 155f d21a f7f3 .&.K……._….
0x0040: 7bbb 1703 0304 6200 0000 0000 0000 2347 {…..b…….#G
0x0050: b28f ea65 e5ad a09c 9d39 7d8a dc7b 6f57 …e…..9}..{oW
0x0060: 81bf 1973 edbb c9f8 77cd b9ea 0c1d fc80 …s….w…….
0x0070: 8725 5b18 0680 0313 85b8 5ec5 28a8 99dd .%[…….^.(…
0x0080: 24cc 78f7 6a2c 0696 d782 9fe8 1523 2e3f $.x.j,…….#.?
0x0090: 5863 674a 60f5 4375 c367 45e4 f445 2ee8 XcgJ`.Cu.gE..E..
0x00a0: 1002 17a3 b425 1898 e35a beb1 2ca0 6bbd …..%…Z..,.k.
0x00b0: 7578 3793 3426 0bdd a0ed 6114 226a d771 ux7.4&….a."j.q
0x00c0: 2581 1975 e4ea 2222 d7b1 6f7e e236 ca98 %..u..""..o~.6..
0x00d0: 6580 43c8 b804 5e25 9c39 c76d 568f f235 e.C…^%.9.mV..5
0x00e0: 84e2 d2de 3c4b 5cde 0f5e 57e7 5441 a4c6 ….<K\..^W.TA..
0x00f0: d96c f94a 76c1 fd07 6070 4df3 8c46 c11f .l.Jv…`pM..F..
0x0100: 4fa5 31cd 3a40 7195 363f 9ee8 0ead 143d O.1.:@q.6?…..=
0x0110: 640f f792 bf20 6b7a 82f1 fe39 c683 f760 d…..kz…9…`
0x0120: 041d bea9 b2d7 fbb6 0b7f c8bd 5124 5fff …………Q$_.
0x0130: 4251 607e 8052 61f9 3329 6ebe 2d5f 2978 BQ`~.Ra.3)n.-_)x
0x0140: 0afe 3d98 7d94 a911 ceaf ad53 56ac c93b ..=.}……SV..;
0x0150: ba35 c8dd d2d0 6bbe 38c0 103d 59a4 589c .5….k.8..=Y.X.
0x0160: 6bde 55ca 6297 44b8 5302 2d1c 0a2c 6d23 k.U.b.D.S.-..,m#
0x0170: a72b 0d69 d25a 4a2e 3c94 439d be2a 35c2 .+.i.ZJ.<.C..*5.
0x0180: 3cde 2094 ef3b 9a09 f408 d23e e148 d49c <….;…..>.H..
0x0190: 1c28 339f facf 4241 632f e797 754b a681 .(3…BAc/..uK..
0x01a0: bced 861c 40a8 ac6f b170 0831 e750 58c5 ….@..o.p.1.PX.
0x01b0: bff1 1312 8b5e 36b7 9b4b 89d0 5a78 2b15 …..^6..K..Zx+.
0x01c0: 32ae 9723 b66f 876b 23b6 4daa c452 a68e 2..#.o.k#.M..R..
0x01d0: 3a18 68c5 468f 93a8 781c 4a16 1ab4 b1f6 :.h.F…x.J…..
0x01e0: 885a 2c5f 38d3 b9ce 830c 20db 83c8 7e1e .Z,_8………~.
0x01f0: cfbd df7f 24aa af9b 03ca 8a53 0513 9c8f ….$……S….
0x0200: ec60 2c22 521c 73c2 7895 d506 dd0c 4314 .`,"R.s.x…..C.
0x0210: 9aac 943c fb0e e3c3 a8ab 774a 5275 6a0d …<……wJRuj.
0x0220: 3475 4e48 c69f 244e 369d 935c c47f 57d3 4uNH..$N6..\..W.
0x0230: ce2f 2785 222c 294c 891b 913e b261 55ad ./’.",)L…>.aU.
0x0240: 9780 4369 b16c baf0 35ec ebe1 ba84 5d8a ..Ci.l..5…..].
0x0250: 6dd0 ada9 a0f5 090f a01e 7eb1 a678 7b8b m………~..x{.
0x0260: c3b0 65e9 0c57 6dcc 4d7f dfcf 7dd5 4b6f ..e..Wm.M…}.Ko
0x0270: c678 a847 1748 6b1e c85a 36e4 f0c5 c018 .x.G.Hk..Z6…..
0x0280: f213 15db e0ff 03e0 16b9 8ca9 2560 0e9f …………%`..
0x0290: f7c9 b334 ee4e dd36 a944 0047 4c3e 22fc …4.N.6.D.GL>".
0x02a0: 3cc3 49e6 020b af88 ddd8 6255 7f08 5243 <.I…….bU..RC
0x02b0: 195e e59e 9355 2069 71f0 0b84 7b0e b965 .^…U.iq…{..e
0x02c0: 5636 4569 574c dd4a 9f80 b39f c993 92c1 V6EiWL.J……..
0x02d0: 5222 7e11 11a8 ebad 0921 b6a3 5c9d 2b12 R"~……!..\.+.
0x02e0: 8c0c 7260 d949 0566 4848 2c8f 65e1 0d72 ..r`.I.fHH,.e..r
0x02f0: bf1a 5bbe 085f 559e 26fa 776d ec23 64f5 ..[.._U.&.wm.#d.
0x0300: 07b6 8484 7dee 5fa0 655d 6e24 2f4d 5c09 ….}._.e]n$/M\.
0x0310: d4ab 4521 33c0 54a6 691e 8622 c012 7648 ..E!3.T.i.."..vH
0x0320: d016 0ae2 9338 6d9a 1e61 c6f8 608d 721e …..8m..a..`.r.
0x0330: 6d8d 4933 c0d2 a387 1f66 ec8b 2ca6 b805 m.I3…..f..,…
0x0340: b30b 3ec4 d2e1 3f6f 1aaa cdbf a9c5 29a8 ..>…?o……).
0x0350: f9b8 76a8 d8d0 beae 6ee5 0314 6b4d 7af4 ..v…..n…kMz.
0x0360: 5626 1cd0 c859 8b5e 9168 ca44 45f0 3b3a V&…Y.^.h.DE.;:
0x0370: a46a 048a 3aa3 6d7f 3be9 069e 8bc5 48b9 .j..:.m.;…..H.
0x0380: 4514 b4a4 2a88 fbfd 89d6 cdb6 d4b3 28b1 E…*………(.
0x0390: c6e9 1aed 3d53 5d2c 8da9 837f ca20 ca08 ….=S],……..
0x03a0: 0bc1 0a44 7055 2452 6cee 6ae4 d955 f559 …DpU$Rl.j..U.Y
0x03b0: 4b9e 75ac 3d00 dda5 1270 675c b5c9 3458 K.u.=….pg\..4X
0x03c0: 18b9 60a0 4493 09fd 6742 bc9c 663a e6ca ..`.D…gB..f:..
0x03d0: ef69 7b3f 0135 4379 6d62 60e9 c686 b49d .i{?.5Cymb`…..
0x03e0: 40f0 c2e4 c04e 33cb ef59 be72 ba93 1b57 @….N3..Y.r…W
0x03f0: 9e5d 7dbd a22a 06cc 992b 078e 7d00 e975 .]}..*…+..}..u
0x0400: b5d8 f6ff daf2 7d44 d47b 7a13 d2d1 f0ef ……}D.{z…..
0x0410: f185 8268 6a9c 68c2 1cb0 967d 733e 3e4c …hj.h….}s>>L
0x0420: f8dc 0aa6 fe5b 0b8b b05d 1b38 8a4e df09 …..[…].8.N..
0x0430: a4e6 b170 c409 a9c6 8dc3 ab38 d116 1939 …p…….8…9
0x0440: 77c3 aafa e95d db83 c37a c099 9d39 0afa w….]…z…9..
0x0450: 04d0 4420 fbd6 f0ca 61f6 17d0 c66a 70bc ..D…..a….jp.
0x0460: 6e56 1f7c fce1 68fa add6 81c6 78e6 c96e nV.|..h…..x..n
0x0470: 34a5 55b1 903a 026c 3f44 dd12 0d84 7d03 4.U..:.l?D….}.
0x0480: 9ab8 668c 7723 79b2 29c3 0cc8 205c 99df ..f.w#y.)….\..
0x0490: 2f4e 6e6f 69e9 27a3 7e51 d729 2da6 6486 /Nnoi.’.~Q.)-.d.
0x04a0: bfdd d0c4 457c ae6e cc ….E|.n.

3 packets captured
139 packets received by filter
132 packets dropped by kernel
$

[/bash]
ABOUT TCP

The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Major internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP. Applications that do not require reliable data stream service may use the User Datagram Protocol (UDP), which provides a connectionless datagram service that emphasizes reduced latency over reliability.

LINKS
https://www.netgate.com/docs/pfsense/firewall/tcp-flag-definitions.html
https://en.wikipedia.org/wiki/Transmission_Control_Protocol
https://serverfault.com/questions/217605/how-to-capture-ack-or-syn-packets-by-tcpdump