Ask Your Question

Revision history [back]

I am trying to capture TCP SYN on IPv6 packets but I only get IPv4.

c:\progra~1\wireshark\tshark -i 5 -f "ip6" -f "tcp[tcpflags] & (tcp-syn|tcp-fin) != 0" Capturing on 'Wi-Fi' ** (tshark:728) 11:00:25.279637 [Main MESSAGE] -- Capture started.

1   0.000000 151.101.42.49 → 10.0.0.18    TCP 54 443 → 51978 [FIN, ACK] Seq=1 Ack=1 Win=286 Len=0
2   0.000197    10.0.0.18 → 151.101.42.49 TCP 54 51978 → 443 [FIN, ACK] Seq=1 Ack=2 Win=507 Len=0
3   0.356084 151.101.42.49 → 10.0.0.18    TLSv1.2 85 Encrypted Alert
4   0.356342    10.0.0.18 → 151.101.42.49 TCP 54 51980 → 443 [FIN, ACK] Seq=1 Ack=33 Win=507 Len=0
5   0.514348 151.101.190.49 → 10.0.0.18    TCP 54 443 → 52006 [FIN, ACK] Seq=1 Ack=1 Win=277 Len=0
6   0.514538    10.0.0.18 → 151.101.190.49 TCP 54 52006 → 443 [FIN, ACK] Seq=1 Ack=2 Win=509 Len=0
7   0.554725 151.101.190.49 → 10.0.0.18    TCP 54 443 → 52007 [FIN, ACK] Seq=1 Ack=1 Win=277 Len=0
8   0.554909    10.0.0.18 → 151.101.190.49 TCP 54 52007 → 443 [FIN, ACK] Seq=1 Ack=2 Win=509 Len=0

8 packets captured

If I do only IP6, then I get IPv6 packets. But, I only want the ones with SYN!

c:\progra~1\wireshark\tshark -i 5 -f "ip6" Capturing on 'Wi-Fi'

** (tshark:17652) 10:59:50.549674 [Main MESSAGE] -- Capture started. 1 0.000000 2601:642:c202:9550:19ad:99f6:e7b4:26b1 → 2607:f8b0:4023:1c01::bc TCP 75 50002 → 5228 [ACK] Seq=1 Ack=1 Win=514 Len=1 2 0.027870 2607:f8b0:4023:1c01::bc → 2601:642:c202:9550:19ad:99f6:e7b4:26b1 TCP 86 5228 → 50002 [ACK] Seq=1 Ack=2 Win=265 Len=0 SLE=1 SRE=2 3 0.112625 fe80::1256:11ff:fe99:e3d7 → ff02::1 ICMPv6 174 Router Advertisement from 10:56:11:99:e3:d7 4 2.882030 2601:642:c202:9550:19ad:99f6:e7b4:26b1 → 2607:f8b0:4005:809::2013 TCP 75 [TCP segment of a reassembled PDU]

I am trying to capture TCP SYN on IPv6 packets but I only get IPv4.

c:\progra~1\wireshark\tshark -i 5 -f "ip6" -f "tcp[tcpflags] & (tcp-syn|tcp-fin) != 0"
Capturing on 'Wi-Fi'
 ** (tshark:728) 11:00:25.279637 [Main MESSAGE] -- Capture started.

started.

    1   0.000000 151.101.42.49 → 10.0.0.18    TCP 54 443 → 51978 [FIN, ACK] Seq=1 Ack=1 Win=286 Len=0
 2   0.000197    10.0.0.18 → 151.101.42.49 TCP 54 51978 → 443 [FIN, ACK] Seq=1 Ack=2 Win=507 Len=0
 3   0.356084 151.101.42.49 → 10.0.0.18    TLSv1.2 85 Encrypted Alert
 4   0.356342    10.0.0.18 → 151.101.42.49 TCP 54 51980 → 443 [FIN, ACK] Seq=1 Ack=33 Win=507 Len=0
 5   0.514348 151.101.190.49 → 10.0.0.18    TCP 54 443 → 52006 [FIN, ACK] Seq=1 Ack=1 Win=277 Len=0
 6   0.514538    10.0.0.18 → 151.101.190.49 TCP 54 52006 → 443 [FIN, ACK] Seq=1 Ack=2 Win=509 Len=0
 7   0.554725 151.101.190.49 → 10.0.0.18    TCP 54 443 → 52007 [FIN, ACK] Seq=1 Ack=1 Win=277 Len=0
 8   0.554909    10.0.0.18 → 151.101.190.49 TCP 54 52007 → 443 [FIN, ACK] Seq=1 Ack=2 Win=509 Len=0

8 packets captured

captured

If I do only IP6, then I get IPv6 packets. But, I only want the ones with SYN!

c:\progra~1\wireshark\tshark -i 5 -f "ip6"
Capturing on 'Wi-Fi'

'Wi-Fi' ** (tshark:17652) 10:59:50.549674 [Main MESSAGE] -- Capture started. 1 0.000000 2601:642:c202:9550:19ad:99f6:e7b4:26b1 → 2607:f8b0:4023:1c01::bc TCP 75 50002 → 5228 [ACK] Seq=1 Ack=1 Win=514 Len=1 2 0.027870 2607:f8b0:4023:1c01::bc → 2601:642:c202:9550:19ad:99f6:e7b4:26b1 TCP 86 5228 → 50002 [ACK] Seq=1 Ack=2 Win=265 Len=0 SLE=1 SRE=2 3 0.112625 fe80::1256:11ff:fe99:e3d7 → ff02::1 ICMPv6 174 Router Advertisement from 10:56:11:99:e3:d7 4 2.882030 2601:642:c202:9550:19ad:99f6:e7b4:26b1 → 2607:f8b0:4005:809::2013 TCP 75 [TCP segment of a reassembled PDU]

PDU]