This only works if you have SYN cookies turned on, but it allows you to get 60s of pcap whenever your machine sends SYN cookies. That should only happen when you're getting SYN flooded.
#!/bin/bash
#
tail -Fn0 /var/log/messages | \
while read line ; do
echo "$line" | grep "pattern"
if [ $? = 0 ]
then
/usr/sbin/tcpdump -i bond0 -w /tmp/syn_`date --utc +%Y%m%d_%H%M%SZ`.pcap -G 60 -W 1 -Z nobody -z bzip2
find /tmp/ -name syn* -type f -mtime +1 -delete
fi
done
