This is our old Q&A Site. Please post any new questions and answers at


We have a capture we are using to troubleshoot an application issue. our application establishes TCP sockets between medical devices and a custom gateway applicaiton on a specific server-side TCP port and IP address.

What i'm looking for help on is this:

How can I use wireshark or additional tool to build a query for the number of established socketed connections contained in the capture?

In other words, after the three way handshake completes, and a socket is established between device and gateway, i'd like to be able to tally them. Ideally, i'd like to be able to pull out the time stamp for each socketed connection that is successfully established.

So for example, if 1000 3-way handshakes complete and a socket is established between devices and Gateway, i'd like to be able to end up with a list of each successful connection and it's timestamp.

From there, I can use excel or Access to graph it out over time.

our custom server side application has no means of reporting on successfully established sockets over time. We are trying to evaluate how the application serves under different medical device loads in order to measure socket performance under different loads.

Being able to use a wireshark capture to break down the data would be very helpful to graph performance over time.

I'm also hoping what ever technique that is suggested here to obtain the data i'm looking for out of the wireshark capture for the number of successfully established socketed connections may also lead me to use a similar mechanism to track the # of forced resets, and maybe the number of normal socket closes.

but for now, i'd love to be able to pull the time stamp, ip address of the source medical device, per row, that represents a successful establishment of a socket from a wireshark capture.

thank you.

asked 16 Mar '11, 12:10

bubbawny69's gravatar image

accept rate: 0%

You can use tshark to achieve these kind of statistics:

$tshark -r tmp.cap -R "tcp.flags==16 && tcp.seq==1 && tcp.ack==1 && tcp.len==0" -T fields -e ip.src | sort -n | uniq -c

The display filter I used filters packets that have only the ACK flag set and SEQ and ACK both 1 and a segment length of 0 (which will be true for the ACK in the 3-way-handshake). This only works when you are using relative sequence numbers.

permanent link

answered 16 Mar '11, 14:59

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 16 Mar '11, 12:10

question was seen: 6,995 times

last updated: 16 Mar '11, 14:59

p​o​w​e​r​e​d by O​S​Q​A