tcp包里有个flags字段表示包的类型,tcpdump可以根据该字段抓取相应类型的包:

tcp[13] 就是 TCP flags (URG,ACK,PSH,RST,SYN,FIN)

# Unskilled 32

# Attackers 16

# Pester     8

# Real       4

# Security   2

# Folks      1


抓取fin包:

# tcpdump -ni any port 9001 and 'tcp[13] & 1 != 0 ' -s0  -w fin.cap -vvv

抓取syn+fin包:

# tcpdump -ni any port 9001 and 'tcp[13] & 3 != 0 ' -s0  -w syn_fin.cap -vvv

抓取rst包:

# tcpdump -ni any port 9001 and 'tcp[13] & 4 != 0 ' -s0  -w rst.cap -vvv