First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark does not recognize tcp.analysis.initial_rtt

The Wireshark Display Filter "(tcp.flags==0x12) and not tcp.analysis.initial_rtt" works in Wireshark, but not tshark.

Problem:

My router is dropping SYN-ACK packets and NO-FLAG packets. I have about 12 hours worth of pcap files to sort through, so I created a script to loop through all pcap files in the directory, and delete any pcap file that does not contain SYN-ACK or NO-FLAG packets. I am now left with 284 files that contain to locate a total of 4 packets that were dropped.

Since the router should only drop SYN-ACK packets on half-open connections, the Wireshark display filter needs to include a check for the value of tcp.analysis.initial_rtt and the above display filter works. But it seems that Wireshark calculates tcp.analysis.initial_rtt, but tshark does not and I get the following error.

[bob@Linux dev]$ tshark -t ad -r "$fname" -Y "(tcp.flags==0x12) and not tcp.analysis.initial_rtt" tshark: "tcp.analysis.initial_rtt" is neither a field nor a protocol name.

Is there another way around this in tshark to find a half-open connect with tcp.flags==0x12?

RB's avatar
1
RB
asked 2023-10-10 20:21:16 +0000
edit flag offensive 0 remove flag close merge delete

Comments

What version of tshark are you using? I don't get an error with version 4.0.10.

An alternative filter is tcp.completeness & 6 == 2 (has syn/ack but not ack). See TCPAnalysis

André's avatar André (2023-10-10 22:17:01 +0000) edit
more
  • delete

tshark -G fields | grep tcp.analysis.initial_rtt to see if field is valid for your version of tshark.

Chuckc's avatar Chuckc (2023-10-11 01:55:39 +0000) edit
more
  • delete

Thank you for your responses. In reverse order,

(2) I have confirmed with the command line Chuckc provided that my version of tshark on CentOS 7 does not include the tcp.analysis.initial_rtt field.

(1) I have also confirmed that tshark on CentOS7 does not include the field tcp.completeness that André recommended.

tshark/wireshark on CentOS 7 is only version 1.10.14.

[root@Linux ~]# tshark -v TShark 1.10.14 (Git Rev Unknown from unknown)

Copyright 1998-2015 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.56.1, with libpcap, with libz 1.2.7, with POSIX capabilities (Linux), without libnl, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.1, without Python, with GnuTLS 3.3 ... (more)

RB's avatar RB (2023-10-11 10:49:35 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

On https://www.wireshark.org/docs/dfref/... it shows that the field tcp.analysis.initial_rtt has been included in wireshark and tshark since version 1.12.0 which came out in 2014. Is your tshark running on the same host as wireshark? If not, what is it's version and can you upgrade to version 1.12 or newer?

As the field tcp.analysis.initial_rtt is calculated by looking at the delta between the SYN and the final ACK of the 3-way-handshake, it is not known yet on the SYN/ACK in the first pass over the packets. Wireshark always does 2-pass processing, while tshark by default does 1-pass processing, so your filter will indeed not work as expected and will show all SYN/ACK packets (whether or not there was a final ACK).

You can make tshark do 2-pass processing by specifying the -2 argument when running tshark. Your filter should work as expected then. You also need 2-pass processing for the tcp.completeness & 6 == 2 filter to work as expected.

SYN-bit's avatar
18.5k
SYN-bit
answered 2023-10-11 10:02:25 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you for your response. In early October, I started with an old laptop and installed CentOS 7 as a workstation with GUI, and I probably used yum to install wireshark with wireshark-cli. That was version 1.10.14 and I had assumed because yum had no further updates that I was at the latest version. I ended up wiping the old laptop and installed with CentOS 9 stream as a basic server without CLI and used I was up to wireshark-cli 3.4.10-6. That version worked with tcp.analysis.initial_rtt but tcp.completeness was not available.

This morning I downloaded the source code for Wireshark and I am now at 4.0.10. This also resolved some errors I was having with tshark.

[bob@linux pcap]$ tshark -v TShark (Wireshark) 4.0.10 (Git commit f5c7c25a81eb).

RB's avatar RB (2023-10-26 18:56:41 +0000) edit
more
  • delete
add a comment see more comments
0

I retired from 30+ years in IT a number of years ago, so I am in the process of relearning and catching up.

The issue is that wireshark and wireshark-cli are outdated versions in the CentOS repositories. I started with CentOS 7 and yum insisted there was no update for wireshark above 1.10.14. I wiped the laptop and installed CentOS 9 stream, and that took me up to 3.4.10-6. That gave me access to tcp.analysis.initial_rtt in tshark, but not tcp.completeness. I ended up downloading the source code and built wireshark. This gives me the current version of wireshark and tshark, and it fixed some errors I was running into with 3.4.10-6.

RB's avatar
1
RB
answered 2023-10-26 19:04:36 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer