This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do i filter TCP connection with [SYN] and [SYN, ACK ] without [ACK ] response?

0

I want to identify SYN FLOOD attacks in my Packet trace (TCP) file by applying a Wireshark filter command that is capable of filtering out TCP connections that completed only 2WAY handshake without [ACK ] response. But I don't the command to use.

Thank in anticipation

asked 24 Apr '17, 00:34

moronto's gravatar image

moronto
11448
accept rate: 0%


One Answer:

3

That's not an easy task because Wireshark can't filter on packet dependencies between multiple packets without some tricks. What I would do is try this filter:

(tcp.flags==0x12) and not tcp.analysis.initial_rtt

"tcp.flags==0x12" looks for SYN/ACK packets (you could also use "tcp.flags.syn==1 and tcp.flags.ack==1", or, if you want SYN and SYN/ACK, use "tcp.flags.syn==1 or (tcp.flags.syn==1 and tcp.flags.ack==1)".

The trick is using "not tcp.analysis.initial_rtt", because that checks if Wireshark calculcated the initial round trip time for the conversation - and that's something it only does if the handshake is complete. So if the field is missing, and the SYN/ACK was seen, you have a half open connection (assuming the SYN is there). Note that the filter is not checking for an actual iRTT value, which it would do with a double equal operator (e.g. "tcp.analysis.initial_rtt==0.12345"), but if the field exists at all.

answered 24 Apr '17, 00:46

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 24 Apr '17, 00:49

Thanks Jasper, your comment really solved the problem.

(24 Apr '17, 08:54) moronto

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(24 Apr '17, 10:05) grahamb ♦