Is it possible to filter Window Update-packets with tcpdump? I know that in wireshark the filter is "tcp.analysis.window_update" but I'm capturing traffic from a server and I can't use wireshark.
For example the Zero Window packet (tcp.analysis.zero_window) can be filtered with "tcp = 0 && tcp = 0" in tcpdump. Is there something similar for Window Update?
asked 10 Oct '12, 02:12
unfortunately that's not possible within tcpdump. There is no special flag or byte you can filter on with a capture filter. A window update is just an ACK with a new window size. tcpdump would need to build internal state about the connection (e.g. the previous window size), to detect the window update, and that is not implemented.
Why do you need to filter/detect that during the capture process? Can't you just capture everything and then analyse the capture file later? With the text output of tcpdump and scripting, you should be able to detect the window update.
answered 10 Oct '12, 03:30
Kurt Knochner ♦