This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm analyzing a packet dump where a client is talking to a server via TCP/IP. Sometimes the connection gets closed by one of the two machines with the usual handshake (FIN/ACK, FIN/ACK, ACK). After that, the client immediately opens a new connection and the process repeats after a few packets were sent.

How do I create a statistic which side (client or server) initiated the most connection shutdowns?

asked 16 May '11, 06:50

grimmig's gravatar image

grimmig
21113
accept rate: 0%

Does the menu "Statistics > Conversations List > TCP" help you?

(16 May '11, 22:14) helloworld

No. It only shows that conversations happened and who started them, but not who closed them.

I think what I need is a filter that shows only first FIN packet in a conversation. Then I can simply run awk over the output and count the lines for each IP.

(19 May '11, 23:43) grimmig

I would pass all SYN/FIN/RST packets to a little perl (or awk) script that will keep a list of sessions that are created (SYN, no ACK), then when the first FIN or RST for that session comes, you can set a flag "closed-by-client" or "closed-by-server" for that session and once the while file is processed, you can create the statistics.

permanent link

answered 20 May '11, 23:20

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×178
×86
×20
×9

question asked: 16 May '11, 06:50

question was seen: 2,693 times

last updated: 20 May '11, 23:20

p​o​w​e​r​e​d by O​S​Q​A