Please help me in the following query. I have a client opening and closing socket with server. Generally client send FIN packet to sever to close the session. But sometimes server initiates the FIN but its difficult to trace it in wireshark as I have to analyze long list of logs. So is there any filter I can use to narrow down my search. I am looking for a FILTER when server initiates FIN, ACK. asked 27 Sep '16, 04:45  singhmanpree... |
One Answer:
answered 27 Sep '16, 04:59  grahamb ♦ |
Thanks for the answer. But it will still not filter out if server initiates FIN, ACK in the first place. It will show all the FIN, ACK packet irrespective of who initiated it.
So this filter wont be able to help me much.
So you only want packets with FIN, ACK and the client hasn't sent a FIN yet.
Unfortunately, filters only work on each individual packet to include or exclude it based on the values in that packet, they can't look backwards or forwards in the packet list for values in other related packets.
Wireshark does have a tool, MATE, that can be used to build associations between packets that might be able to help you.
So this is true but you could try the following:
Use the filter from above to colorize the packets
Use the following display filter TCP.flags.syn==1 and TCP.flags.fin==1
Apply the stream Id as a column
Sort the trace by stream id column
Now it should be easier to find the relevant fin packets