[Hansang Bae <hbae@xxxxxxxxxx>]

Sheahan, John wrote:
> I recently ran accross a problem where the application engineers were 
> complaining that they were getting java socket timeouts in the server logs.
> They said that the application would only log this problem if the server 
> attempted to connect but the 3 way handshake failed.
>  
> After sniffing the communication using Sniffer Pro, the "expert" did not 
> find these unanswered SYNs.
> I wound up having to apply a SYN and FIN filter at the same time, 
> exporting it to CSV, importing it into Excel and sorting by port.
> At that point, I was able to scroll down through every converstation in 
> the trace and see if every SYN that was sent had a corresponding FIN. 
> When I did this, I was able to easily spot multiple unanswered FINs, get 
> the port number and filter on those, thus solving the application 
> engineer's problem.
>  
> My question is, is there some way that I could have used the wireshark 
> software to filter on unanswered SYNs and could have saved myself alot 
> of work?


One of the most powerful things about Ethereal is the display filter. 
For example, typing in  (tcp.flags&7) should give you all tcp handshake 
packets.  With this, it should be trivial to find the unanswered acks (a 
series of SYN, SYN, SYN, then RST)

A display filter should be possible with Sniffer Pro, but it is much 
much more cumbersome (as I recall, haven't used SnifferPro in about four 
years!!!

--

Thanks,
Hansang