This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to create a filter to remove TCP sessions with no payload

0

Hi all,

I haven't found a good way to do this yet. Is there a way to filter out TCP sessions that have no payload? (Basically, sessions that have the 3-way handshake and then immediately close via FIN or RST that didn't actually transmit any meaningful data).

Thanks

-VK

asked 04 Jan '12, 13:04

VaporKnight's gravatar image

VaporKnight
1111
accept rate: 0%

2 Answers:

0

Unfortunately, display filters work on individual packets, and have no state, so there's no simple display filter to do that. I don't know enough about MATE to say whether it would support that.

answered 04 Jan '12, 16:26

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

0

You could use tshark to create that filter for you :-)

To find all TCP packets with data, use:

tshark -r <file> -R "tcp.len>0"

... we're only interested in the ID's of the TCP sessions that contain data:

tshark -r <file> -R "tcp.len>0" -T fields -e tcp.stream

Then use some shell magic to create a list of all these session ID's:

tshark -r <file> -R "tcp.len>0" -T fields -e tcp.stream |\
    sort -n | uniq

... and transform it into a display filter:

tshark -r <file> -R "tcp.len>0" -T fields -e tcp.stream |\
    sort -n | uniq |\
    awk '{printf("%stcp.stream==%d",sep,$1);sep="||"}'

You can then use that filter in Wireshark. Or you can create a new tracefile with only the sessions containing data in one run with:

tshark -r <file> - w <newfile> -R $(\
    tshark -r <file> -R "tcp.len>0" -T fields -e tcp.stream |\
        sort -n | uniq |\
        awk '{printf("%stcp.stream==%d",sep,$1);sep="||"}'\
)

Hope this helps!

answered 05 Jan '12, 03:33

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

That will work for me!

Thanks!

-VK

(05 Jan '12, 08:22) VaporKnight

Hmm.. Actually this didn't work. When I do the -e tcp.stream I don't get Stream ID's returned. I just get a lot of empty lines.

When I do things like tcp.seq or tcp.ack I do see some values. So this seems specific to tcp.stream. In wireshark I can see the steam IDs.

-VK

(05 Jan '12, 11:38) VaporKnight

This works for me with TShark 1.7.0 (SVN 39768) in Windows 7 (64-bit). I ran:

tshark -r nfs_bad_stalls.cap -R "tcp.len>0" -T fields -e tcp.stream |\
        sort -n | uniq |\
        awk '{printf("%stcp.stream==%d",sep,$1);sep="||"}'

which yields:

tcp.stream==0||tcp.stream==1||tcp.stream==2||tcp.stream==3
(05 Jan '12, 12:06) bstn

Hmm.. maybe need to update then.

Running tshark 1.0.2 on Linux. I'll try that.

-VK

(05 Jan '12, 12:09) VaporKnight

Works on 1.6.0 Thanks!

-VK

(05 Jan '12, 12:16) VaporKnight

Yes, the tcp.stream field may not have existed in Wireshark 1.0.x.

(05 Jan '12, 12:24) Guy Harris ♦♦
showing 5 of 6 show 1 more comments