I want to identify SYN FLOOD attacks in my Packet trace (TCP) file by applying a Wireshark filter command that is capable of filtering out TCP connections that completed only 2WAY handshake without [ACK ] response. But I don't the command to use.
Thank in anticipation
asked 24 Apr '17, 00:34
That's not an easy task because Wireshark can't filter on packet dependencies between multiple packets without some tricks. What I would do is try this filter:
"tcp.flags==0x12" looks for SYN/ACK packets (you could also use "tcp.flags.syn==1 and tcp.flags.ack==1", or, if you want SYN and SYN/ACK, use "tcp.flags.syn==1 or (tcp.flags.syn==1 and tcp.flags.ack==1)".
The trick is using "not tcp.analysis.initial_rtt", because that checks if Wireshark calculcated the initial round trip time for the conversation - and that's something it only does if the handshake is complete. So if the field is missing, and the SYN/ACK was seen, you have a half open connection (assuming the SYN is there). Note that the filter is not checking for an actual iRTT value, which it would do with a double equal operator (e.g. "tcp.analysis.initial_rtt==0.12345"), but if the field exists at all.
answered 24 Apr '17, 00:46
edited 24 Apr '17, 00:49