OSQA is unmaintained. Help us figure out where to go from here.


I want to filter only the SYN packets from TCP SYN scan (both for open ports(SYN->SYN/ACK->RST) and closed ports(SYN->RST/ACK)) from a pcap file.

I have written a following script to do the same and it seems working for me.

for stream in `tshark -nr  capture.pcap -Y "(ip.dst== && tcp.seq==1 && tcp.flags.reset==1 && tcp.flags.ack==0)||(tcp.flags.reset==1 && tcp.flags.ack==1 && tcp.ack==1)" -T fields -e tcp.stream | sort -n | uniq`

  tshark -r capture.pcap -w ./portscans/stream_$stream.pcap -Y "ip.dst== && tcp.seq==0 && tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.stream eq $stream"

But the above script is taking hell out of time to run it.. It is taking more than a day to filter out packets from a 150MB pcap file.

Can someone suggest me any other method to do the same(with tshark or snort)?

asked 17 Feb, 04:35

subinjp's gravatar image

accept rate: 0%

edited 17 Feb, 04:42

grahamb's gravatar image

grahamb ♦

For starters you could see if you can apply the 'in' operator to tcp.stream, to get an expression like 'tcp.stream in { n m ...}', where n and m are stream numbers collected before. Although that would give you one single output file, so you may have to split that up afterwards.

permanent link

answered 17 Feb, 08:08

Jaap's gravatar image

Jaap ♦
accept rate: 14%

@jaap Thanks for your reply. In fact I dont want to split packets in to different files. But I did not get what do you mean by it? Could you write the script below or describe it little more?

(17 Feb, 08:17) subinjp
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 17 Feb, 04:35

question was seen: 273 times

last updated: 17 Feb, 08:17

p​o​w​e​r​e​d by O​S​Q​A