I am able to use the filter on tcp.analysis.duplicate_ack_num to filter for duplicate packets. I need to translate to allow me to use this filter on a bluecoat proxy. I am able to use the filter tcp[0xd]&2=2 to locate only SYN packets but, would like to know how to translate it the duplicate packet to this type of format. Direction on how to do it or what the filter is would be greatly appreciated! note: update on the title as it should have mentioned the ack versus a duplicate packet. asked 21 Jan '16, 09:15 polar315 edited 21 Jan '16, 09:36 |
One Answer:
You cannot filter for duplicate ACKs with a capture filter. The reason is that Wireshark determines a packet to be a duplicate ACK while examining it with it's TCP expert module. It's basically a calculation that checks dependencies between two or more packets - all of which is not possible for a capture filter, as it's much too slow. Capture filters cannot keep track of the state of a TCP conversation, as it would have to back-buffer packets. And it doesn't even know how long it has to keep them, because the duplicate ACK may be hundreds of packets away. answered 21 Jan '16, 12:29 Jasper ♦♦ |
I am running a capture filter on tcp.analysis.duplicate_ack && !tcp.analysis.duplicate_ack_num == 1 during a capture and successfully show the duplicate acks. This is allowing me to grab the duplicate packets without filling my buffers.
There is a substantial difference between a display filter and a capture filter.
@Jasper's has answered to you as (just guessing ;-) ) he's seen the keyword "capture" in the subject of your question; I have seen that you have used the display filter syntax in the body of the question, but I was unable to answer until now.
Please look at the difference between the two at Wireshark wiki. Next, please re-read this part
of your question as if you were reading it for the first time, and try to explain better what you want to achieve with the display filter.
Understand the confusion. It is a display filter as all the other packets are still in the capture, but it is only displaying the duplicate acks. So it is not a capture filter I have in place.
As the Bluecoat pcap has a 100 meg limit and the data will fill that in less than a second I wanted to get a capture filter that would only get the duplicates.
rock <-me-> hard place.
Thanks for the clarification.
Well, as you've mentioned that you can set up a capture filter for packets with SYN bit set, I was wondering whether it could be that it was enough for you to identify retransmissions of the initial SYN packets from client through detecting retransmission of (SYN, ACK) from server corresponding to them.
Because in such case, you could use your capture filter
tcp[0xd]&2=2
(only guessing that you can use capture filters at the bluecoat, because the way you wrote it I didn't get whether you can get to its shell to run a regular tcpdump there or whether it is an appliance so you can use only some pre-defined capture options), and then use your tcp.analysis.duplicate_ack_num display filter on the resulting file. That way, you would capture only the SYN packets from the client and the (SYN, ACK) ones from the server, where the former would define the absolute sequence numbers so the retransmissions of the latter could be identified as retransmissions. So if the SYN, ACK would get lost on their way to the client, the client would send a new SYN and the SYN,ACK would be identified as a retransmission.