Ask Your Question
0

Find asymmetric streams (tcp.stream with client but no server packets)

asked 2018-07-25 06:28:34 +0000

sopsrdsvc gravatar image

hi, i have a pcap with overall 2402 streams in it, and i can see that lots of them seem to be 'asymmetric' ('analyze / follow tcp stream' shows a number of client packets, but 0 server packets for them).

Can someone give me a hint how a filter expression for this kind of somewhat crippled connections could look like (e.g. something like 'tcp.stream==asymmetric' or similar)?

Thx in advance...

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
1

answered 2018-07-25 07:41:49 +0000

Jaap gravatar image

This is where Statistics | Conversations comes into use. See the TCP panel, which shows you all streams and their characteristics, among which Packets A->B and Packets B->A. Sort on these columns and the ones with zero packets float to the top immediately.

edit flag offensive delete link more

Comments

hi jaap, this is perfect, solves my problem very well! thanks a lot :)

sopsrdsvc gravatar imagesopsrdsvc ( 2018-07-25 09:44:28 +0000 )edit
add a comment
0

answered 2018-07-25 08:17:11 +0000

Guy Harris gravatar image

Can someone give me a hint how a filter expression for this kind of somewhat crippled connections could look like

No, because, for better or worse, the dissector doesn't keep track of that characteristic, so it can't put into the protocol tree a field that would indicate that the packet belongs to an "asymmetric" stream.

You'd have to use something such as what Jaap suggested.

edit flag offensive delete link more

Comments

hi guy, thanks as well for this info. Jaap's suggestion works perfect for me... best regards

sopsrdsvc gravatar imagesopsrdsvc ( 2018-07-25 09:46:00 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2018-07-25 06:28:34 +0000

Seen: 1,107 times

Last updated: Jul 25 '18

Related questions

No HTTPS requests in a TCP stream? (also decoding-help)

tshark tcp stream Raw data is not output to the end

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2