Ethereal-users: Re: [Ethereal-users] Finding tcp syn packets without response.

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Wed, 15 Jun 2005 20:06:10 +0200
> Im trying to make a ethereal filter to show all tcp syn packets without
> syn-ack response from server, but I dont find the way to make this filter (
> in not sure if its possible to make such filter). What is the best way to
> find tcp syn packets without syn-ack response? 

MATE can help for this

Using the following configuration mate will create a tree on every
frame that has tcp in which it will add a mate.tcp_ses.syn_ack field
by which to filter those sessions that have had a SYN/ACK.

# syn_ack  replace tcp_syn and tcp_ack with syn_ack
Action=Transform; Name=syn_ack; Mode=Replace; Match=Strict;
tcp_syn=tcp.flags.syn; tcp_ack=tcp.flags.ack; .syn_ack;

   Action=PduDef; Name=tcp_pdu; Proto=tcp; Transport=ip; addr=ip.addr;
port=tcp.port; tcp_syn=tcp.flags.syn; tcp_ack=tcp.flags.ack; 
tcp_stop=tcp.flags.reset; tcp_stop=tcp.flags.fin;

Action=PduTransform; For=tcp_pdu; Name=syn_ack;

   Action=GopDef; Name=tcp_ses; On=tcp_pdu; addr; addr; port; port;
   Action=GopStart; For=tcp_ses; tcp_syn=1;
   Action=GopStop; For=tcp_ses; tcp_stop=1;
   Action=GopExtra;  For=tcp_ses;  syn_ack;

You can learn more about MATE from http://wiki.ethereal.com/Mate

Luis