Baseline SYN Capture

Case

  • Confirm ptcpdump can scoop up initial TCP handshakes generated by curl, matching the test_base.sh regression.
  • Inspect SYN packets while recording metadata for the originating process.
  • Verify that a firewall is not blocking outbound TCP connections on a specific port.
  • Troubleshoot application connectivity issues by confirming that the initial TCP handshake is successful.
  • Monitor for unauthorized or unexpected outbound connections from a specific process.

Command

sudo ptcpdump -i any 'dst host 1.1.1.1 and tcp[tcpflags] = tcp-syn'

Trigger a quick curl -m 10 1.1.1.1 while ptcpdump runs. You should see an annotated SYN heading toward 1.1.1.1:80, and the saved capture remains readable through both ptcpdump and tcpdump for round-trip validation.

Output Example

14:17:19.288004 ens33 curl.240410 Out IP 10.0.2.15.50610 > 1.1.1.1.80: Flags [S], seq 1584305332, win 64240, options [mss 1460,sackOK,TS val 2311066804 ecr 0,nop,wscale 7], length 0, ParentProc [bash.101064]