Wireshark-users: Re: [Wireshark-users] Filter for Unanswered SYN's

From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Thu, 23 Apr 2009 21:06:42 +0200
If there are multiple SYN packets with the same srcip:sport and dstip:dport all of them (except the first one) will have the flag "tcp.analysis.reused_ports" set. So you can search or filter on that.
 
I see no easy way to filter SYN packets that have no corresponding SYN/ACK, but I'm sure you would be able to use MATE or LUA to achieve that.
 
Cheers,
    Sake
----- Original Message -----
Sent: Thursday, April 23, 2009 5:38 PM
Subject: Re: [Wireshark-users] Filter for Unanswered SYN's

I’m going to assume that one port, be it the source or destination, is going to be constant. If this is the case, you would be able to use a filter of (tcp.port == <port number>) && (tcp.flags.syn == 1). This will show you all SYN packets related to that socket, including any SYN, ACK packets from the server.

 

Though I’m sure someone else on here will have a better way J.

 

-          FB

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of St Onge,Adam
Sent: Thursday, April 23, 2009 9:25 AM
To: 'wireshark-users@xxxxxxxxxxxxx'
Subject: [Wireshark-users] Filter for Unanswered SYN's

 

I’m working on an issue where a server is not answering TCP SYN’s due to port reuse, while the socket is still in Time_Wait on the server. I was wondering if there is a way to do a filter that would show me “tcp.flags eq 02” if there are multiples for that same socket, or if there is no corresponding Syn,Ack?

 

Thanks,

Adam

 

==============================================================================
This communication, including attachments, is confidential, may be subject to legal privileges, and is intended for the sole use of the addressee. Any use, duplication, disclosure or dissemination of this communication, other than by the addressee, is prohibited. If you have received this communication in error, please notify the sender immediately and delete or destroy this communication and all copies.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe