I want to identify SYN FLOOD attacks in my Packet trace (TCP) file by applying a Wireshark filter command that is capable of filtering out TCP connections that completed only 2WAY handshake without [ACK ] response. But I don't the command to use. Thank in anticipation asked 24 Apr '17, 00:34  moronto |
One Answer:
That's not an easy task because Wireshark can't filter on packet dependencies between multiple packets without some tricks. What I would do is try this filter: "tcp.flags==0x12" looks for SYN/ACK packets (you could also use "tcp.flags.syn==1 and tcp.flags.ack==1", or, if you want SYN and SYN/ACK, use "tcp.flags.syn==1 or (tcp.flags.syn==1 and tcp.flags.ack==1)". The trick is using "not tcp.analysis.initial_rtt", because that checks if Wireshark calculcated the initial round trip time for the conversation - and that's something it only does if the handshake is complete. So if the field is missing, and the SYN/ACK was seen, you have a half open connection (assuming the SYN is there). Note that the filter is not checking for an actual iRTT value, which it would do with a double equal operator (e.g. "tcp.analysis.initial_rtt==0.12345"), but if the field exists at all. answered 24 Apr '17, 00:46  Jasper ♦♦ edited 24 Apr '17, 00:49 |
Thanks Jasper, your comment really solved the problem.
If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.