> Im trying to make a ethereal filter to show all tcp syn packets without
> syn-ack response from server, but I dont find the way to make this filter (
> in not sure if its possible to make such filter). What is the best way to
> find tcp syn packets without syn-ack response?
MATE can help for this
Using the following configuration mate will create a tree on every
frame that has tcp in which it will add a mate.tcp_ses.syn_ack field
by which to filter those sessions that have had a SYN/ACK.
# syn_ack replace tcp_syn and tcp_ack with syn_ack
Action=Transform; Name=syn_ack; Mode=Replace; Match=Strict;
tcp_syn=tcp.flags.syn; tcp_ack=tcp.flags.ack; .syn_ack;
Action=PduDef; Name=tcp_pdu; Proto=tcp; Transport=ip; addr=ip.addr;
port=tcp.port; tcp_syn=tcp.flags.syn; tcp_ack=tcp.flags.ack;
tcp_stop=tcp.flags.reset; tcp_stop=tcp.flags.fin;
Action=PduTransform; For=tcp_pdu; Name=syn_ack;
Action=GopDef; Name=tcp_ses; On=tcp_pdu; addr; addr; port; port;
Action=GopStart; For=tcp_ses; tcp_syn=1;
Action=GopStop; For=tcp_ses; tcp_stop=1;
Action=GopExtra; For=tcp_ses; syn_ack;
You can learn more about MATE from http://wiki.ethereal.com/Mate
Luis