hello guys, I'm new in Wireshark world and I would help to capture only the packets with RST or SYN or FIN and that between two hosts A and B. I tride this: host A.A.A.A and host B.B.B.B and tcp[tcpflags] & (tcp-rst) !=0 or tcp[tcpflags] & (tcp-syn) !=0 or tcp[tcpflags] & (tcp-fin) != 0 but i only capture [SYN, ACK] packets. thank you for your response. asked 01 Jun '12, 06:48 KD001 |
2 Answers:
Please try this: Capture filter
Display filter
Regards answered 01 Jun '12, 10:48 Kurt Knochner ♦ edited 01 Jun '12, 11:27 showing 5 of 11 show 6 more comments |
The capture filter I use for that is:
Where 13 is the offset for tcpflags and 7 is a logical or for the specific bits for SYN, FIN and RST. It is the same filter as Kurt's filter, but with less typing ;-) answered 02 Jun '12, 02:43 SYN-bit ♦♦ yes, it requires less characters to type (for the pro), but a lot more synapses to understand (for the newbie) ;-)) (02 Jun '12, 12:53) Kurt Knochner ♦ I totally agree! However... ... I experienced that I was never able to remember the exact names of the offsets and values, so I kind of gotten used to remembering the numeric values instead :-) (02 Jun '12, 13:49) SYN-bit ♦♦ I totally agree. That's one reason why I hate IPv6 :-) Hard to remember (O.k. not really necessary) and hard to "visually filter" those damn addresses ;-) I still hope I can skip IPv6 and wait for IPv8, kind of like Vista -> Windows 7 ;-))) (02 Jun '12, 14:30) Kurt Knochner ♦ |
If the goal is to see only traffic between the two named IP addresses, shouldn't there be an AND rather than an OR there? Or is there some reason that would not work?
yes, you're right. I changed it.
I think you only need to specify the flag names for the display filter, the "== 1" is superfluous.
That's what I thought, however tests with 1.7.1 returned different results. I'll have to repeat the tests.
In 1.29 (don't ask...) the display filter bar turns green when you just enter the flag name. When you add the "==1" the filter bar turns green again. Either way, when applied the results seem to be the same.
I tested with Wireshark 1.6.7.
The "==1" when filtering for certain TCP flags is indeed necessary. There is a difference in meaning between "tcp.flags.syn" and "tcp.flags.syn==1":
tcp.flags.syn There is a field present with the name tcp.flags.syn. Since every TCP packet has that flag present in its header, it will match all TCP packets.
tcp.flags.syn==1 There is a field present with the name tcp.flags.syn and it's value is 1. This is only true for SYN and SYN/ACK packets.
Oops, I knew that but somehow forgot last night. I did test using the ack flag with a capture that happened to have ack set in every packet so didn't see my error.
Hello Syn-Bit and Kurt,
I want to thank you for the help you've given me. I tried and it gives me the desired results.
I hope to count on your support for upcoming issues I will ask on the forum because I am interested in this tool Wireshark even if I am beginner in this field.
The way to thank folk for their answers is to accept an answer by clicking the check mark.
In addition, it confuses other users when you post a comment as an "answer" so I've converted your "answer" to a comment.
I guess that's what I saw in my brief tests.