How to get all tcp-stream by passed filter?

DisplayFilters

asked 2019-06-24 15:03:13 +0000

9maf4you
1 ●1

Hello!

I've been asked by our client why our server doesn't work properly. I have a 200MB pcap dump. Quickly watching I've seen many reasons why it could happen: client sends RST after SYN-ACK, ACK to FIN sometime takes about a whole second, big amount of data as response ( not a problem actually ) and so on.

So, I would like to find out which a problem is dominated to dig into a problem further. Result I would like to see is all tcp-stream getting by specified filters.

Well, my question is how to get all tcp-streams by specified filters and how to write a filter where time between FIN and ACK more then says 500ms ?

Can wireshark do it ? Thank you!

edit retag flag offensive close merge delete

add a comment

1 Answer

Sort by » oldest newest most voted

answered 2019-06-24 18:56:48 +0000

Guy Harris
19890 ●3 ●633 ●207

Unfortunately, there's currently no filter to check for that (unlike, for example, checking for the time between the initial SYN and the SYN+ACK response).

You could try

tcp.analysis.ack_rtt > .5

to find all packets with an ACK that's more than .5 seconds (500 ms) after the packet being ACKed.

edit flag offensive delete link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-06-24 15:03:13 +0000

Seen: 636 times

Last updated: Jun 24 '19

How to get all tcp-stream by passed filter? edit

1 Answer