This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to find syn not followed by a syn+ack

0

I am having trouble with occasional connect timeouts. Is there anyway in wireshark to find where the three way handshake fails?

Thanks in advance

Chip

asked 03 May '12, 08:26

blueridge55's gravatar image

blueridge55
1111
accept rate: 0%

edited 04 May '12, 12:41

grahamb's gravatar image

grahamb ♦
19.8k330206


3 Answers:

2

Use the display filter 'tcp.flags eq 0x02' (only SYN flag set)
then: Statistics -> Conversations

Select the option "Limit to display filter" (at the bottom)
Select the tab TCP

Sort the output by "Packets".

Those connections with 1 packet are likely the "good" connections (one SYN only)

Those connections with > 1 packets are most likely the unanswered connections (several packets with SYN as a result of a retry).

EDIT: I just realized that the same question has already been answered some time ago:
http://ask.wireshark.org/questions/6576/identify-syn-packets-without-synack

Regards
Kurt

answered 03 May '12, 08:29

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 03 May '12, 10:30

Yap, but some question openers never vote / accept so ;)

(03 May '12, 13:39) Landi

Maybe they don't know about the voting system. The Q&A system here is totally different to other forums. I think only frequent forum users do understand the system and make use of votes.

My impression is that a lot of users are one-time users. They subscribe to get a problem "fixed" and then they stop participating. However, I might be wrong. After all, I'm just a forum member for a few days now - whereas I'm using wireshark for years.

(03 May '12, 14:22) Kurt Knochner ♦

Its true. Sometime the work loads do not permit to do that. Your support is highly appreciated. NizamSri

(16 May '12, 22:20) NizamSri

0

Assuming that you're truly going through a timeout on initial connection attempts, you would have retransmitted SYN packets. Every common operating system will try at least 3 times (sometime 5) to establish a connection before giving up; they do this by retransmitting the SYN packet. So, if you captured traffic on system A when A attempts to connect to system B and fails, applying 'tcp.flags eq 0x02 && tcp.analysis.retransmission' to the capture would show you any retransmitted SYN packets.

answered 04 May '12, 12:14

wesmorgan1's gravatar image

wesmorgan1
411101221
accept rate: 4%

This filter does not work on my Windows Vista PC. Wireshark does not identify the repeated SYNs as retransmissions, so no packets are shown.

(04 May '12, 21:05) Jim Aragon

0

MATE can help as well

http://wiki.wireshark.org/Mate/GettingStarted

Load tcp.mate from the Wiki. After a restart of Wireshark, use this display filter:

tcp.flags eq 0x02 and mate.tcp_ses.NumOfPdus < 4

That's all packets with only a SYN flag and where the conversation contains less than 4 packets.

Well, that's not perfect, but at least it will find the 'regular' threefold retry attempt.

Sample to test with: http://cloudshark.org/captures/9279c75f8161

Regards
Kurt

answered 07 May '12, 16:42

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 07 May '12, 16:46