This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

filter re tcp connection establishment

0

source send multiple request to established tcp connection with server .....i want only first request send by the source

to capture tcp connection establishment send by source i am using filter "tcp.flags.syn == 1 and tcp.flag.ack == 0"

but my problem is server resend the tcp connection establishment request and i want to remove this resend request

please help....

asked 10 Apr '14, 19:20

Deepak1991's gravatar image

Deepak1991
1223
accept rate: 0%


One Answer:

0

When you see a retransmitted TCP SYN packet, expand the Packet Details pane for the TCP packet details. Do one of the fields say something about it being a retransmission? For example an expert Note-level field saying "This frame is a (suspected) retransmission" or something like that?

If so, you can select that field to see the name of it; the name of the field will be shown on the lower left status bar. It will be something like "tcp.analysis.retransmission" or something similar. Whatever it is, add the negation of it to your filter. So like this:

tcp.flags.syn == 1 and tcp.flags.ack == 0 and not tcp.analysis.retransmission

Or something like that. I can't try it myself to know exactly because I don't have a capture with such duplicates. So this is just a guess.

If you don't see something like that, you might have sequence analysis turned off - turn it on in your preferences (Edit->Preferences->Protocols->TCP->"Analyze TCP sequence numbers"). It's on by default I believe.

There are also other fields (non-expert fields) that might only be in SYN retransmissions, which you should be able to use the negation of instead, or be able to use a filter with "field.name == 0" (depending on the type of field it is).

It would help if you could post a screenshot of the packet details pane, or better yet post the capture file on cloudshark.org or some other site.

answered 10 Apr '14, 19:53

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

edited 10 Apr '14, 20:04

Yup, that works for me. It occurred to me after posting the above that I could easily capture such a thing myself, by just trying to web browse or telnet to some random IP in the Internet... I guess I'm tired.

:)

(10 Apr '14, 20:05) Hadriel