This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

So I have two pcaps and I need to get the length of each connection in them and graph them against the connection start times (so y axis is duration and x axis is time). I also need to find connections that did not end with an ACK after a FIN-ACK. I am new to working with pcaps so I am unsure how to do this. I assume wireshark would be easiest but if tcpdump or some other utility would be better that is fine as well. Can anyone help me with a filter?

Thanks

asked 28 Mar '15, 07:25

thaweatherman's gravatar image

thaweatherman
1112
accept rate: 0%


You could use the conversations statistics to create a list of all conversations. It has columns for the relative start and duration, so you could export those statistics to graph something in Excel or any other graphical program.

The other problem is finding FINs without a following ACK - this is next to impossible, because you can't filter on packet dependencies. There are some tricks to do this for the session start, but not for the session termination. May I ask why you need to find conversations like this?

permanent link

answered 28 Mar '15, 09:35

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks for your answer. How do I pull up the conversations statistics? It looks like there should be a Conversations option under the Statistics menu but I don't see one (version 1.12.4). As for the FIN without ACK (to keep it simple), I want to record those conversations' lengths as well by assigning a specific time length.

(28 Mar '15, 11:20) thaweatherman

yes, the conversation statistics are found in the statistics menu, and it is definitely available in 1.12.4. its the third options from the top, called "conversations".

(28 Mar '15, 15:33) Jasper ♦♦

You can filter on all completing TCP connections (SYN->FIN/RST) and use Statistics -> IOGraph to draq the tcp.time_relative on the y axis using y Axis -> Unit advanced. The filter would be
tcp[13]&5 and !tcp.window_size_scalefactor==-1

For the second part of your question wireshark would have to keep track of the tcp session's state in a variable which you could then filter on tcp.state=="FINWAIT2". It currently doesn't do this but certainly sounds like it could be done - but I'm not a coder so maybe easier said than done ;-)

Regards Matthias alt text

permanent link

answered 28 Mar '15, 23:20

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×349
×238
×97

question asked: 28 Mar '15, 07:25

question was seen: 2,666 times

last updated: 28 Mar '15, 23:20

p​o​w​e​r​e​d by O​S​Q​A