This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to get (using filters) TCP packets used for establishment and closing

0

Hi,

I am aware of three-way handshake protocol in TCP and how SYN, SYN_ACK and FIN helps identify the stages of establishment and teardown. Is there any filter (in wireshark) I can use to get these (ones for establishment) and (ones for teardown) seperately from data packets?

asked 13 Oct '16, 09:58

learner_tcp's gravatar image

learner_tcp
6112
accept rate: 0%

One Answer:

0

Not easily as filters only determine if a particular packet should be displayed or not depending on fields (real or synthesized) in that packet. This makes it difficult to display the final ACK for the connection establishment and teardown as they don't look different from any other ACK. If you have relative sequence numbers on the final ACK for establishment can be located as it will have a sequence number and ack value of 1. This gives a filter of:

(tcp.flags.syn == 1) || (tcp.flags.ack == 1 && (tcp.seq == 1) && (tcp.ack == 1)) || (tcp.flags.fin == 1)

answered 13 Oct '16, 10:34

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 13 Oct '16, 10:34