Hi guys, I have an issue where randomly I see the following flow: - SYN - SYN+ ACK - RST+ACK - ACK I want to know how is possible to find in a capture just those four packets, in other words, I want a filter that scan the first with a SYN flag, then search the second packet for a SYN+ACK, then the third packet for a RST+ACK and finally the fourth packet should be an ACK asked 11 Feb '15, 08:39  ventiz |
2 Answers:
It's not really possible to filter on packet dependencies with Wireshark. But what I get from your problem description you're basically looking for a connection reset after the three way handshake is almost complete. For that it should be possible to look for reset flags where the relative sequence number is 1 (0 would be the SYN, so the next packet following it must have sequence number of 1) Maybe that's good enough? answered 11 Feb '15, 08:54  Jasper ♦♦ Thank you Jasper and Kurt, it's sad that cannot filter via dependencies but would be great to have that feature (12 Feb '15, 13:10) ventiz |
This sounds similar to the following question:
I'll update my answer to this:
Those connections with 3-4 packet are likely the connections you are looking for.
Regards answered 11 Feb '15, 14:12  Kurt Knochner ♦ |
Jasper and Kurt thank you for your tips they really help me to find very fast the stream of the packets I was looking for, it's sad that wireshark can find yet packet dependencies but definitely would be a great feature. Thx again