I'm analyzing a packet dump where a client is talking to a server via TCP/IP. Sometimes the connection gets closed by one of the two machines with the usual handshake (FIN/ACK, FIN/ACK, ACK). After that, the client immediately opens a new connection and the process repeats after a few packets were sent. How do I create a statistic which side (client or server) initiated the most connection shutdowns? asked 16 May '11, 06:50  grimmig |
One Answer:
I would pass all SYN/FIN/RST packets to a little perl (or awk) script that will keep a list of sessions that are created (SYN, no ACK), then when the first FIN or RST for that session comes, you can set a flag "closed-by-client" or "closed-by-server" for that session and once the while file is processed, you can create the statistics. answered 20 May '11, 23:20  SYN-bit ♦♦ |
Does the menu "Statistics > Conversations List > TCP" help you?
No. It only shows that conversations happened and who started them, but not who closed them.
I think what I need is a filter that shows only first FIN packet in a conversation. Then I can simply run awk over the output and count the lines for each IP.