Im trying to track down an issue where sometimes a FIN arrives 3-6 seconds after an HTTP connection with a Connection:close header very intermittently. Is there any way to filter a caputure based on total TCP session time, or perhaps long Delta time of any two packets in a tcp stream?
asked 25 Feb '17, 08:57
You can change the displayed time to delta between two displayed packets. Hint: Mark the two packets you want to compare and use the display filter frame.marked=true
answered 25 Feb '17, 12:23
You can enable "Calculate Conversation Timestamps" in the TCP protocol preferences. This will give you the two fields:
You can then find (or filter) with "tcp.flags.fin==1 and tcp.time_delta>=3 and tcp.time_delta<=6". Of course it will not take into account whether or not there was a "Connection: close" header in the request, but since webserver timeouts are usually larger than 6 seconds (15 secs is seen often), you will get pretty close to what you try to accomplish.
If you want to make sure there was a "Connection: close" header first, you could either create a MATE script. Or use tshark with something like this:
(I split up this one-liner into multiple lines to make it more readable, but please just copy it all to one line)
Which will first make a list of tcp stream numbers of all tcp streams that contain a "Connection: close" header and then combines that with the filter for the long tcp delay before the FIN packet.
answered 27 Feb '17, 01:42