Hello, I have a trace of ~103K packets. I am trying to create a display filter to find TCP streams containing 4 particular packets (FIN-ACK, ACK, FIN-ACK, ACK). Is this possible? I need to do the opposite and find the streams, out of the 900+ in this trace, that don't have those 4 packets at the end of the conversation.
Any direction, YouTube, or other resource to answer this question is appreciated.
Thanks and God bless, Genesius
asked 05 Oct '17, 05:25
Not directly as display filters are used as a match against each frame as to whether it's displayed or not and so do not have the capability to match or aggregate across frames.
I would use command line scripting to generate a list of streams with a FIN-ACK and subtract that from the list of all streams resulting in a list of those streams without a FIN-ACK.
This seems to work for me using PowerShell:
The above script first sets some options, including the capture file to use, then runs tshark, firstly with no filter get all the tcp stream indexes, then with a filter for the FIN flag to get the streams with a FIN, then generates the differences between those two results.
Note that the above quick test regards any FIN as a stream to include so it will only give streams with no FIN at all. Extending it to give the exact result you need is left as an exercise for the reader.
answered 05 Oct '17, 05:55
edited 05 Oct '17, 14:09