How to filter tcp connection finish (FIN) initiated by certain IP

asked 2021-08-27 05:35:26 +0000

For example, I have two host and

After capturing all traffic between them in certain time range, I would like to find all TCP connection finish initiated by (i.e. sent TCP FIN first in TCP connection termination)

To be clear: do you want to distinguish between TCP connection termination initiation by and

Jaap gravatar imageJaap ( 2021-08-27 11:24:07 +0000 )edit

Do you want to specify the time range in the filter too?

BigFatCat gravatar imageBigFatCat ( 2021-08-27 17:54:57 +0000 )edit

2 Answers

answered 2021-08-27 15:37:58 +0000

Chuckc gravatar image

updated 2021-08-27 15:40:30 +0000

There is a field for this in the current development branch (3.5).

#13210: Feature request: improve the tcp.analysis filter so it can find active or passive TCP close

(ip.src == && (tcp.connection.fin_active)

The fields added in the change do appear in a 3.5.0rc0 build available in the automated build section of the download site.
There may even be a 3.5.0 (not rc) release in the next few days.
Wireshark expected release dates: Roadmap

GREAT. I have to play it when it is released

BigFatCat gravatar imageBigFatCat ( 2021-08-27 17:52:57 +0000 )edit

Gerald wrote: I'm proud to announce the release of Wireshark 3.5.0.

So if you are brave use it instead of 3.4.8

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2021-08-28 01:30:56 +0000 )edit

answered 2021-08-27 07:59:21 +0000

grahamb gravatar image

Using the display filter:

(ip.src == && (tcp.flags.fin == 1)
I didn't read the question properly and the comment from @Jaap highlighted the issue, in that the user wants the occurrences where the specified IP sent the first FIN in the stream. This is not possible in a display filter because it requires a relationship between packets.

By changing the filter to ip.addr == ... all FINs for that address will be displayed and by adding a column for the tcp stream index, by inspection those streams where the target IP sent the first FIN can be found.

grahamb gravatar imagegrahamb ( 2021-08-27 11:40:46 +0000 )edit

Asked: 2021-08-27 05:35:26 +0000

