This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Multiple Packet Display Filter

0

Hello, I have a trace of ~103K packets. I am trying to create a display filter to find TCP streams containing 4 particular packets (FIN-ACK, ACK, FIN-ACK, ACK). Is this possible? I need to do the opposite and find the streams, out of the 900+ in this trace, that don't have those 4 packets at the end of the conversation.

Any direction, YouTube, or other resource to answer this question is appreciated.

Thanks and God bless, Genesius

asked 05 Oct '17, 05:25

genesiusj's gravatar image

genesiusj
6112
accept rate: 0%


One Answer:

0

Not directly as display filters are used as a match against each frame as to whether it's displayed or not and so do not have the capability to match or aggregate across frames.

I would use command line scripting to generate a list of streams with a FIN-ACK and subtract that from the list of all streams resulting in a list of those streams without a FIN-ACK.

This seems to work for me using PowerShell:

$opts = @("-rpath\to\capture", "-Tfields", "-etcp.stream")
$allstreams = path\to\tshark.exe $opts | Select-Object -Unique
$finstreams = path\to\tshark.exe $opts tcp.flags.fin == 1 | Select-Object -Unique
Compare-Object $allstreams $finstreams -PassThru

The above script first sets some options, including the capture file to use, then runs tshark, firstly with no filter get all the tcp stream indexes, then with a filter for the FIN flag to get the streams with a FIN, then generates the differences between those two results.

Note that the above quick test regards any FIN as a stream to include so it will only give streams with no FIN at all. Extending it to give the exact result you need is left as an exercise for the reader.

answered 05 Oct '17, 05:55

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 05 Oct '17, 14:09

so why not just use "not tcp.flags.fin==1"? ;-)

(05 Oct '17, 11:59) Jasper ♦♦

Using a filter of not tcp.flags.fin==1 will give a list of all streams that have at least one packet that doesn't have a FIN, which will be pretty much all streams unless you've managed to capture only one packet from a stream that has FIN set.

(05 Oct '17, 14:12) grahamb ♦

@grahamb Maybe it would be a nice topic for a Sharkfest session: powershell & tshark :)

(05 Oct '17, 23:11) Christian_R

Indeed, see presentation 33 at SharkFest Europe.

@Christian_R, you may redeem your beer token at Estoril :-)

(06 Oct '17, 01:05) grahamb ♦

@grahamb yes, you're right, typing comments like that on my cellphone while completely tired seems like a bad idea :-D

(06 Oct '17, 06:31) Jasper ♦♦