I am having trouble with occasional connect timeouts. Is there anyway in wireshark to find where the three way handshake fails?
Thanks in advance
asked 03 May '12, 08:26
edited 04 May '12, 12:41
Use the display filter 'tcp.flags eq 0x02' (only SYN flag set)
Select the option "Limit to display filter" (at the bottom)
Sort the output by "Packets".
Those connections with 1 packet are likely the "good" connections (one SYN only)
Those connections with > 1 packets are most likely the unanswered connections (several packets with SYN as a result of a retry).
EDIT: I just realized that the same question has already been answered some time ago:
answered 03 May '12, 08:29
Kurt Knochner ♦
edited 03 May '12, 10:30
Assuming that you're truly going through a timeout on initial connection attempts, you would have retransmitted SYN packets. Every common operating system will try at least 3 times (sometime 5) to establish a connection before giving up; they do this by retransmitting the SYN packet. So, if you captured traffic on system A when A attempts to connect to system B and fails, applying 'tcp.flags eq 0x02 && tcp.analysis.retransmission' to the capture would show you any retransmitted SYN packets.
answered 04 May '12, 12:14
MATE can help as well
Load tcp.mate from the Wiki. After a restart of Wireshark, use this display filter:
That's all packets with only a SYN flag and where the conversation contains less than 4 packets.
Well, that's not perfect, but at least it will find the 'regular' threefold retry attempt.
Sample to test with: http://cloudshark.org/captures/9279c75f8161
answered 07 May '12, 16:42
Kurt Knochner ♦
edited 07 May '12, 16:46