This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Editing Filters on wireshark.

0
1

hello guys, I'm new in Wireshark world and I would help to capture only the packets with RST or SYN or FIN and that between two hosts A and B. I tride this:

host A.A.A.A and host B.B.B.B and tcp[tcpflags] & (tcp-rst) !=0 or tcp[tcpflags] & (tcp-syn) !=0 or tcp[tcpflags] & (tcp-fin) != 0

but i only capture [SYN, ACK] packets.

thank you for your response.

asked 01 Jun '12, 06:48

KD001's gravatar image

KD001
1233
accept rate: 0%


2 Answers:

4

Please try this:

Capture filter

(host a.a.a.a and host b.b.b.b) and (tcp[tcpflags] & (tcp-syn | tcp-fin | tcp-rst) != 0)

Display filter

(ip.addr eq a.a.a.a and ip.addr eq b.b.b.b) and (tcp.flags.syn == 1 or tcp.flags.fin == 1 or tcp.flags.reset == 1)

Regards
Kurt

answered 01 Jun '12, 10:48

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 01 Jun '12, 11:27

If the goal is to see only traffic between the two named IP addresses, shouldn't there be an AND rather than an OR there? Or is there some reason that would not work?

(01 Jun '12, 11:14) inetdog

yes, you're right. I changed it.

(01 Jun '12, 11:26) Kurt Knochner ♦

I think you only need to specify the flag names for the display filter, the "== 1" is superfluous.

(01 Jun '12, 13:38) grahamb ♦

That's what I thought, however tests with 1.7.1 returned different results. I'll have to repeat the tests.

(01 Jun '12, 16:15) Kurt Knochner ♦

In 1.29 (don't ask...) the display filter bar turns green when you just enter the flag name. When you add the "==1" the filter bar turns green again. Either way, when applied the results seem to be the same.

(01 Jun '12, 17:07) inetdog

I tested with Wireshark 1.6.7.

(01 Jun '12, 22:56) grahamb ♦

The "==1" when filtering for certain TCP flags is indeed necessary. There is a difference in meaning between "tcp.flags.syn" and "tcp.flags.syn==1":

tcp.flags.syn There is a field present with the name tcp.flags.syn. Since every TCP packet has that flag present in its header, it will match all TCP packets.

tcp.flags.syn==1 There is a field present with the name tcp.flags.syn and it's value is 1. This is only true for SYN and SYN/ACK packets.

(02 Jun '12, 02:39) SYN-bit ♦♦

Oops, I knew that but somehow forgot last night. I did test using the ack flag with a capture that happened to have ack set in every packet so didn't see my error.

(02 Jun '12, 05:12) grahamb ♦

Hello Syn-Bit and Kurt,

I want to thank you for the help you've given me. I tried and it gives me the desired results.

I hope to count on your support for upcoming issues I will ask on the forum because I am interested in this tool Wireshark even if I am beginner in this field.

(06 Jun '12, 02:56) KD001

The way to thank folk for their answers is to accept an answer by clicking the check mark.

In addition, it confuses other users when you post a comment as an "answer" so I've converted your "answer" to a comment.

(06 Jun '12, 07:19) grahamb ♦

There is a difference in meaning between "tcp.flags.syn" and "tcp.flags.syn==1"

I guess that's what I saw in my brief tests.

(06 Jun '12, 12:36) Kurt Knochner ♦
showing 5 of 11 show 6 more comments

1

The capture filter I use for that is:

host a.a.a.a and host b.b.b.b and (tcp[13] & 7 != 0)

Where 13 is the offset for tcpflags and 7 is a logical or for the specific bits for SYN, FIN and RST. It is the same filter as Kurt's filter, but with less typing ;-)

answered 02 Jun '12, 02:43

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

yes, it requires less characters to type (for the pro), but a lot more synapses to understand (for the newbie) ;-))

(02 Jun '12, 12:53) Kurt Knochner ♦

I totally agree! However...

... I experienced that I was never able to remember the exact names of the offsets and values, so I kind of gotten used to remembering the numeric values instead :-)

(02 Jun '12, 13:49) SYN-bit ♦♦

I totally agree.

That's one reason why I hate IPv6 :-) Hard to remember (O.k. not really necessary) and hard to "visually filter" those damn addresses ;-)

I still hope I can skip IPv6 and wait for IPv8, kind of like Vista -> Windows 7 ;-)))

(02 Jun '12, 14:30) Kurt Knochner ♦