Ask Your Question
0

tshark does not recognize tcp.analysis.initial_rtt

asked 2023-10-10 20:21:16 +0000

RB gravatar image

The Wireshark Display Filter "(tcp.flags==0x12) and not tcp.analysis.initial_rtt" works in Wireshark, but not tshark.

Problem:

My router is dropping SYN-ACK packets and NO-FLAG packets. I have about 12 hours worth of pcap files to sort through, so I created a script to loop through all pcap files in the directory, and delete any pcap file that does not contain SYN-ACK or NO-FLAG packets. I am now left with 284 files that contain to locate a total of 4 packets that were dropped.

Since the router should only drop SYN-ACK packets on half-open connections, the Wireshark display filter needs to include a check for the value of tcp.analysis.initial_rtt and the above display filter works. But it seems that Wireshark calculates tcp.analysis.initial_rtt, but tshark does not and I get the following error.

[bob@Linux dev]$ tshark -t ad -r "$fname" -Y "(tcp.flags==0x12) and not tcp.analysis.initial_rtt" tshark: "tcp.analysis.initial_rtt" is neither a field nor a protocol name.

Is there another way around this in tshark to find a half-open connect with tcp.flags==0x12?

edit retag flag offensive close merge delete

Comments

What version of tshark are you using? I don't get an error with version 4.0.10.

An alternative filter is tcp.completeness & 6 == 2 (has syn/ack but not ack). See TCPAnalysis

André gravatar imageAndré ( 2023-10-10 22:17:01 +0000 )edit

tshark -G fields | grep tcp.analysis.initial_rtt to see if field is valid for your version of tshark.

Chuckc gravatar imageChuckc ( 2023-10-11 01:55:39 +0000 )edit

Thank you for your responses. In reverse order,

(2) I have confirmed with the command line Chuckc provided that my version of tshark on CentOS 7 does not include the tcp.analysis.initial_rtt field.

(1) I have also confirmed that tshark on CentOS7 does not include the field tcp.completeness that André recommended.

tshark/wireshark on CentOS 7 is only version 1.10.14.

[root@Linux ~]# tshark -v TShark 1.10.14 (Git Rev Unknown from unknown)

Copyright 1998-2015 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.56.1, with libpcap, with libz 1.2.7, with POSIX capabilities (Linux), without libnl, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.1, without Python, with GnuTLS 3.3 ...(more)

RB gravatar imageRB ( 2023-10-11 10:49:35 +0000 )edit
add a comment

2 Answers

Sort by » oldest newest most voted
0

answered 2023-10-26 19:04:36 +0000

RB gravatar image

I retired from 30+ years in IT a number of years ago, so I am in the process of relearning and catching up.

The issue is that wireshark and wireshark-cli are outdated versions in the CentOS repositories. I started with CentOS 7 and yum insisted there was no update for wireshark above 1.10.14. I wiped the laptop and installed CentOS 9 stream, and that took me up to 3.4.10-6. That gave me access to tcp.analysis.initial_rtt in tshark, but not tcp.completeness. I ended up downloading the source code and built wireshark. This gives me the current version of wireshark and tshark, and it fixed some errors I was running into with 3.4.10-6.

edit flag offensive delete link more
add a comment
0

answered 2023-10-11 10:02:25 +0000

SYN-bit gravatar image

On https://www.wireshark.org/docs/dfref/... it shows that the field tcp.analysis.initial_rtt has been included in wireshark and tshark since version 1.12.0 which came out in 2014. Is your tshark running on the same host as wireshark? If not, what is it's version and can you upgrade to version 1.12 or newer?

As the field tcp.analysis.initial_rtt is calculated by looking at the delta between the SYN and the final ACK of the 3-way-handshake, it is not known yet on the SYN/ACK in the first pass over the packets. Wireshark always does 2-pass processing, while tshark by default does 1-pass processing, so your filter will indeed not work as expected and will show all SYN/ACK packets (whether or not there was a final ACK).

You can make tshark do 2-pass processing by specifying the -2 argument when running tshark. Your filter should work as expected then. You also need 2-pass processing for the tcp.completeness & 6 == 2 filter to work as expected.

edit flag offensive delete link more

Comments

Thank you for your response. In early October, I started with an old laptop and installed CentOS 7 as a workstation with GUI, and I probably used yum to install wireshark with wireshark-cli. That was version 1.10.14 and I had assumed because yum had no further updates that I was at the latest version. I ended up wiping the old laptop and installed with CentOS 9 stream as a basic server without CLI and used I was up to wireshark-cli 3.4.10-6. That version worked with tcp.analysis.initial_rtt but tcp.completeness was not available.

This morning I downloaded the source code for Wireshark and I am now at 4.0.10. This also resolved some errors I was having with tshark.

[bob@linux pcap]$ tshark -v TShark (Wireshark) 4.0.10 (Git commit f5c7c25a81eb).

RB gravatar imageRB ( 2023-10-26 18:56:41 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-10-10 20:21:16 +0000

Seen: 261 times

Last updated: Oct 26 '23

Related questions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark