This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter out streams that contain multiple SYN packets

0
1

I am troubleshooting communication problems that my micro web server is encountering.

I may have found a clue to the problem that I mention in this post.

To cut to the chase, I'm looking for a way to search/filter my Wireshark capture where I can quickly find ALL streams that contain more than one SYN request/packet.

For example:

Take a look at this stream and notice how it contains two SYN requests. The way I was able to filter this out was by filtering out each stream one-by-one (tcp.stream eq 53 then tcp.stream eq 54, etc) until I found a stream that contained multiple SYN's. It would be nice if Wireshark had an easier way for me to track down the streams that meet the criteria (multiple SYN).

asked 21 Jan '13, 15:47

KTM's gravatar image

KTM
7691314
accept rate: 100%


2 Answers:

4

When you enable "Calculate Conversation Timestamps" in the TCP protocol preferences, you can use:

tcp.flags==2 and tcp.time_relative>0

This would show all SYN packets which were not the first packet in the TCP session.

answered 21 Jan '13, 16:07

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Good one, didn't think of that - or maybe I just gave up too soon :-)

(21 Jan '13, 16:16) Jasper ♦♦

Well, I have to admit it was inspired by your answer (we should work together more often :-))

(21 Jan '13, 16:20) SYN-bit ♦♦

For noobs like myself - You enable "Calculate Conversation Timestamps" by going to "Edit -> Preferences -> Protocols -> TCP -> Calculate conversation timestamps"

(21 Jan '13, 16:32) KTM
1

That...

... or rightclick on the TCP line in the packet detail pane and select "Protocol Preferences" and then select "Calculate Conversation Timestamps"

:-)

(21 Jan '13, 16:38) SYN-bit ♦♦

@Syn-bit - Can you explain what tcp.time_relative does?

I've searched around for an answer to no avail.

(21 Jan '13, 16:39) KTM
1
  • tcp.time_relative is the time of the packet relative to the first packet in the TCP session (tcp.stream)
  • tcp.time_delta is the time of the packet relative to the previous packet in the TCP session (tcp.stream)
(21 Jan '13, 17:11) SYN-bit ♦♦
1

if you enable conversation timestamps Wireshark will keep track of the time of each tcp packet relative to the other packets in the same flow, and you can filter on that.

(21 Jan '13, 17:12) Jasper ♦♦
1

Damn...here I thought I was being cute by filtering on tcp.flags==02 and using the Statistics conversation, TCP and using the "Limit to display filter" and sorting by relative time.

figures..Sake would figure out a command line equivalent that's much quicker and relevant. I'll add it to my arsenal for sure! :)

(21 Jan '13, 22:18) hansangb
showing 5 of 8 show 3 more comments

1

That kind of filtering is pretty hard to do, because you would need to filter on packet relations, which normally can't be done, unless in some special cases. What you'd need to do is filter on SYN packets and find those, that have a delta time from the previous frame of more than, lets say, 1 second. For this, a filter like tcp.flags==0x02 and frame.time_delta > 1.0 could help (a flag byte of 0x02 means "only the SYN flag is set").

Now for the "but": But this filter will only work if the SYN packets are right next to each other, without anything in between, or otherwise the time part of the filter will not work. Unfortunately I don't think there is a way (yet) to do time based filtering on "same flow" packets - I tried tcp.time_delta, but it didn't help.

answered 21 Jan '13, 15:55

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%