This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Identify SYN packets without SYN/ACK

0

From a PCAP Trace how to identify tcp SYN frames that have not received tcp SYN/ACK ?

asked 26 Sep '11, 21:12

Norbert's gravatar image

Norbert
1111
accept rate: 0%

2 Answers:

0

Here's the gist of an idea:

  1. Use tshark reading a file (and redirecting output to a file) with something like the following:

    a. a read filter to find all the SYN frames: -R tcp.flags.syn == 1

    b. ouput fields: -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e tcp.flags.ack

  2. With some scripting (or maybe just some clever sorting) I think you should be able to identify SYNs without SYN/ACKS.

    You'll probably also want to output the frame number field (frame.number)

    I could imagine doing two passes with tshark (the first for SYNs, the second for SYN/ACKS) so as to be able to output the address/ports in the right order in each pass so that a sort of the combined output files would work.

answered 28 Sep '11, 07:26

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 28 Sep '11, 07:30

0

Another nice move might be to filter for tcp.flags.syn==1 and then go to conversation statistics. There you can sort by number of packets and those sessions with only 1 to a few packets outgoing and zero incoming are the ones not getting SYN/ACK back. Then go .csv Copy etc.

Sorry, this is not professional but I had no time to try scripting stuff ;)

answered 28 Sep '11, 07:30

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

edited 28 Sep '11, 07:31