> tcpdump -n tcp port 80 -w web_traffic.log
>
> but that logs all port 80 traffic right? How should I isolate JUST the SYN?
>From the tcpdump man page, in the EXAMPLES section:
To print the start and end packets (the SYN and FIN packets)
of each TCP conversation that involves a non-local host.
tcpdump 'tcp[13] & 3 != 0 and not src and dst net localnet'
"tcp[13] & 3 != 0" catches packets that have either SYN or FIN set, so
that check by itself will see both; the check for just SYN, and a check
for SYN and port 80, are left as exercises for the reader.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
