This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filtering out TCP connection termination packets

0

Hello I want to filter out the tcp connection closing i.e. the FIN and the respective ACK packets. In the case of FIN packets it is an easy task based on flags, but the ACK is tricky, as I want to keep the other ACK packets. One way that I can think of is by comparing the sequence number of this ACK packet to the acknowledgement number of the previous FIN packet, but I cannot get myself to come up with an expression for this case. How can this be achieved? Any other ways are also welcome.

asked 30 Sep '16, 04:21

pooja's gravatar image

pooja
6112
accept rate: 0%

One Answer:

1

Maybe MATE can be of help here.

answered 30 Sep '16, 04:39

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Also see the discussion on this very similar question about why display filters can't be used to check values across more than one packet.

(30 Sep '16, 05:10) grahamb ♦

I'm afraid that MATE won't help here, at least alone:

  • MATE does not handle arithmetic, so exact matching of the tcp.seq of the packet bearing the FIN flag and the ˙tcp.ack` of the packet bearing the ACK to it is impossible as these two values differ by one.

  • as no data packet follows the one with FIN, the TCP dissector does not generate the tcp.nxtseq field which normally matches the tcp.ack of the acknowledging packet (if such exists)

So to make the task "MATEable", you would have to first use a Lua post-dissector to add a metafield carrying the tcp.seq + 1 value. It is then questionable whether it is not easier to use the Lua post-dissector to implement the complete task, the following way:

  • build a table of tcp.seq values of all FIN packets in the capture, indexed by tcp.stream and direction (tcp.srcport of the packet carrying the FIN flag)

  • compare the ack numbers of all TCP packets in the capture to this table, and add a metafield like tcp.analysis.ack_to_fin to packets whose tcp.ack value would be higher than the stored tcp.seq of FIN packets for the same tcp.stream and tcp.dstport (opposite direction).

The display filter showing all the FIN packets and their matching ACK ones would then be tcp.flags.fin == 1 or tcp.analysis.ack_to_fin.

(30 Sep '16, 07:14) sindy
1

OK, so using MATE you can generate metafields allowing you to display only the first FIN packet of each TCP session and all the packets following it (which may be more packets than just the one carrying the ACK to the FIN, but usually not too many). Is that enough for you?

(01 Oct '16, 07:37) sindy

Hey, that helps a lot. Yes that would be enough for my application. I am getting to know MATE now, no clue about it, so will post if I succeed in it. Thank you.

(04 Oct '16, 05:03) pooja
1

what you'd do would be to

Extract fin From tcp.flags.fin;
Extract stream From tcp.stream;

into a tcp Pdu, and then Start on (fin = 1) a GoP of tcp which would use stream as its key.

Unfortunately, GoP's Expiration seems not to work, so you'll get everything after the first FIN as GoP members.

Hm, it seems writing a howto took almost more keypresses than writing the complete MATE configuration would :-)

(04 Oct '16, 05:29) sindy