First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to get all tcp-stream by passed filter?

Hello!

I've been asked by our client why our server doesn't work properly. I have a 200MB pcap dump. Quickly watching I've seen many reasons why it could happen: client sends RST after SYN-ACK, ACK to FIN sometime takes about a whole second, big amount of data as response ( not a problem actually ) and so on.

So, I would like to find out which a problem is dominated to dig into a problem further. Result I would like to see is all tcp-stream getting by specified filters.

Well, my question is how to get all tcp-streams by specified filters and how to write a filter where time between FIN and ACK more then says 500ms ?

Can wireshark do it ? Thank you!

9maf4you's avatar
1
9maf4you
asked 2019-06-24 15:03:13 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Unfortunately, there's currently no filter to check for that (unlike, for example, checking for the time between the initial SYN and the SYN+ACK response).

You could try

tcp.analysis.ack_rtt > .5

to find all packets with an ACK that's more than .5 seconds (500 ms) after the packet being ACKed.

Guy Harris's avatar
19.9k
Guy Harris
answered 2019-06-24 18:56:48 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer