For example, I have two host 1.1.1.1 and 2.2.2.2.
After capturing all traffic between them in certain time range, I would like to find all TCP connection finish initiated by 1.1.1.1 (i.e. 1.1.1.1 sent TCP FIN first in TCP connection termination)
There is a field for this in the current development branch (3.5).
#13210: Feature request: improve the tcp.analysis filter so it can find active or passive TCP close
(ip.src == 1.1.1.1) && (tcp.connection.fin_active)
The fields added in the change do appear in a 3.5.0rc0 build available in the automated build section of the download site.
There may even be a 3.5.0 (not rc) release in the next few days.
Wireshark expected release dates: Roadmap
Gerald wrote: I'm proud to announce the release of Wireshark 3.5.0.
So if you are brave use it instead of 3.4.8
Using the display filter:
(ip.src == 1.1.1.1) && (tcp.flags.fin == 1)
I didn't read the question properly and the comment from @Jaap highlighted the issue, in that the user wants the occurrences where the specified IP sent the first FIN in the stream. This is not possible in a display filter because it requires a relationship between packets.
By changing the filter to ip.addr == ... all FINs for that address will be displayed and by adding a column for the tcp stream index, by inspection those streams where the target IP sent the first FIN can be found.
Asked: 2021-08-27 05:35:26 +0000
Seen: 3,804 times
Last updated: Aug 27 '21
To be clear: do you want to distinguish between TCP connection termination initiation by 1.1.1.1 and 2.2.2.2?
Do you want to specify the time range in the filter too?