Wireshark-users: Re: [Wireshark-users] Wireshark on CentOS4.5 crashing

From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 15 Jun 2007 07:49:28 +0200
On Thu, Jun 14, 2007 at 05:28:19PM -0400, Richard Andrews wrote:
> 
> I'm trying to analyze a massive dump file ~1.6GB and unfortunately it is
> causing wireshark to crash.  This is most likely due to lack of system
> resources after a certain period when trying to load the file.  Any
> suggestions other than grabbing a new smaller capture, 

You could split up the large file into smaller chunks with the
editcap utility that comes with wireshark :-)

> ... or maybe someone
> could recommend what the best capture filter would be to log only the
> traffic destined for port 80 that could potentially be a Syn flood
> attack?

If you are only interested in SYN packets to port 80 you could use the 
capture filter "port 80 and tcp[0xd]&0x12==2". The tcp part of the
filter picks up the fourteenth byte from the TCP header which is
where the TCP flags are. It AND's this byte with 0x12 to only keep
the SYN (00000010) and the ACK (00010000) bit. If the resulting
value equals 2, than the SYN flag was set and the ACK flag was unset.

Hope this helps, Cheers,


Sake