How can I detect/print all conversation that (will) have a FIN packet within an existing capture file. asked 06 Dec '11, 07:18  Trevor |
One Answer:
One way would be to actually filter for tcp.flags.fin==1 and then look for unique identifiers for that particular session. This could be tcp.port (if unique), tcp.stream (which I think is the easiest) or maybe even initial sequence number... You'll need a proper identifier to later filter those sessions if you want to see them complete and not only the FIN-packets. tshark -r testtrace.pcap -R "tcp.flags.fin==1" -n -Tfields -e tcp.stream can give you a list of those tcp.stream numbers. You can append | sort -u or whatever to go ahead with script building e.g. answered 06 Dec '11, 07:33  Landi |
10x. That seems like a good way to start