This is our old Q&A Site. Please post any new questions and answers at

Hi all,

I haven't found a good way to do this yet. Is there a way to filter out TCP sessions that have no payload? (Basically, sessions that have the 3-way handshake and then immediately close via FIN or RST that didn't actually transmit any meaningful data).



asked 04 Jan '12, 13:04

VaporKnight's gravatar image

accept rate: 0%

Unfortunately, display filters work on individual packets, and have no state, so there's no simple display filter to do that. I don't know enough about MATE to say whether it would support that.

permanent link

answered 04 Jan '12, 16:26

Guy%20Harris's gravatar image

Guy Harris ♦♦
accept rate: 19%

You could use tshark to create that filter for you :-)

To find all TCP packets with data, use:

tshark -r <file> -R "tcp.len>0"

... we're only interested in the ID's of the TCP sessions that contain data:

tshark -r <file> -R "tcp.len>0" -T fields -e

Then use some shell magic to create a list of all these session ID's:

tshark -r <file> -R "tcp.len>0" -T fields -e |\
    sort -n | uniq

... and transform it into a display filter:

tshark -r <file> -R "tcp.len>0" -T fields -e |\
    sort -n | uniq |\
    awk '{printf("",sep,$1);sep="||"}'

You can then use that filter in Wireshark. Or you can create a new tracefile with only the sessions containing data in one run with:

tshark -r <file> - w <newfile> -R $(\
    tshark -r <file> -R "tcp.len>0" -T fields -e |\
        sort -n | uniq |\
        awk '{printf("",sep,$1);sep="||"}'\

Hope this helps!

permanent link

answered 05 Jan '12, 03:33

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

That will work for me!



(05 Jan '12, 08:22) VaporKnight

Hmm.. Actually this didn't work. When I do the -e I don't get Stream ID's returned. I just get a lot of empty lines.

When I do things like tcp.seq or tcp.ack I do see some values. So this seems specific to In wireshark I can see the steam IDs.


(05 Jan '12, 11:38) VaporKnight

This works for me with TShark 1.7.0 (SVN 39768) in Windows 7 (64-bit). I ran:

tshark -r nfs_bad_stalls.cap -R "tcp.len>0" -T fields -e |\
        sort -n | uniq |\
        awk '{printf("",sep,$1);sep="||"}'

which yields:||||||
(05 Jan '12, 12:06) bstn

Hmm.. maybe need to update then.

Running tshark 1.0.2 on Linux. I'll try that.


(05 Jan '12, 12:09) VaporKnight

Works on 1.6.0 Thanks!


(05 Jan '12, 12:16) VaporKnight

Yes, the field may not have existed in Wireshark 1.0.x.

(05 Jan '12, 12:24) Guy Harris ♦♦
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 04 Jan '12, 13:04

question was seen: 8,986 times

last updated: 05 Jan '12, 12:24

p​o​w​e​r​e​d by O​S​Q​A