This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter for [SYN] packages without [SYN,ACK] respons

0

Our company is frequently involved in troubleshooting connection issues after a firewall implementation. Most of the times the firewall is blocking connections on ports which we were not aware of during investigation. Is it possible to have a filter which displays all TCP connection attempts , being [SYN] packages, which are NOT followed by a {SYN,ACK] acknowledgment from the destination host? This way we can quickly filter on connection attempts being blocked by the firewall.

Regards,

Fred van der Hoorn

asked 24 May '13, 11:24

Fred%20van%20der%20Hoorn's gravatar image

Fred van der...
11112
accept rate: 0%

2 Answers:

2

I have not found a way (yet) to find a single SYN that does not get answered by a SYN/ACK. However, usually these are followed by a retransmission which can be found by using the filter:

tcp.flags==2 && tcp.time_relative>0

(You need to enable "Conversation Timestamps" in the TCP protocol preferences for this to work)

answered 24 May '13, 11:55

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Superb!This is a classic example for rookie's answer vs seasoned person...

(24 May '13, 12:02) krishnayeddula

This might be something where a expert message could be added in the future since they help a lot when searching for things that depend on packet relations. Something like "[lonely SYN]" :-)

(24 May '13, 12:10) Jasper ♦♦

Hi,

Your help is highly appreciated.

I will give it a try...where can I find the option enable "Conversation Timestamps" in the TCP protocol preferences ?

FYI Me question looks a lot like the question asked in "How to filter out streams that contain multiple SYN packets".

regards,

fred

(24 May '13, 12:25) Fred van der...

Edit>Preferences>Protocols>TCP and you can check mark conversation timestamps box

(24 May '13, 12:28) krishnayeddula

Solved...

The trick of enabling tcp timestamps AND the filter "tcp.flags==2 && tcp.time_relative>0" did the trick . Many thanks..this makes troubleshooting so much easier.

regards

fred

(24 May '13, 12:41) Fred van der...

0

tcp.flags==0x0002 in your display filter will display only "SINs" (or) tcp[13:1]==02

answered 24 May '13, 11:30

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%

edited 24 May '13, 11:38

True but it does not tell me whether the host the syn package has as destination responds with a syn,ack. I want to see all packages which are NOT followed by a syn,ack from the destination host. In that way I can quickly see to which hosts packages are send but for which NO response is received.

(24 May '13, 11:37) Fred van der...

Follow tcp stream option on syn packet will tell the whole story of that particular conversation. On syn packet right click and do a follow tcp stream to figure out on which conversation the syn-acks are missing.

(OR) Apply this display filter tcp.flags==0x0002 || tcp.flags==0x0012

(24 May '13, 11:42) krishnayeddula