This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to calculate connection between tcp syn and ack after fin-ack?

0

Hi all I have a pcap file that contains many tcp connections, i would like to calculate duration time between tcp syn and ack after Fin-ack for every connection ? thank you for helping us

This question is marked "community wiki".

asked 06 Nov '15, 03:33

Abo3abbas's gravatar image

Abo3abbas
6113
accept rate: 0%

wikified 06 Nov '15, 05:43

One Answer:

1

Have you tried Statistics -> Conversations -> TCP, looking at the "Duration" column?

answered 06 Nov '15, 03:48

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

So which duration are you looking for?

  • SYN - SYN/ACK - ACK
  • SYN-SYN/ACK - ACK ... FIN - ACK - FIN - ACK?

First one is iRTT, which you can see in the TCP decode in the SEQ/ACK Analysis, the second one is duration usually.

(06 Nov '15, 03:55) Jasper ♦♦

Well, Wireshark separates conversations from SYN to FIN or Reset, so even if you have port reuse, you'll see two conversations then, with a duration each. That should be good enough for most cases.

When you have to deal with missing FIN packets (incomplete conversations) the duration will be wrong, but the only way to verify those is to do it manually.

(06 Nov '15, 04:06) Jasper ♦♦