Wireshark-bugs: [Wireshark-bugs] [Bug 13210] New: Feature request: improve the tcp.analysis filt
Date: Tue, 06 Dec 2016 10:45:04 +0000
Bug ID 13210
Summary Feature request: improve the tcp.analysis filter so it can find active or passive TCP close
Product Wireshark
Version 2.0.7
Hardware x86-64
OS macOS 10.12
Status UNCONFIRMED
Severity Enhancement
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter girolimetti@gmail.com

Build Information:
Version 2.0.7 (v2.0.7-0-gdaac0f4 from master-2.0)

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with
libz 1.2.5, with GLib 2.36.0, with SMI 0.4.8, with c-ares 1.12.0, with Lua 5.2,
with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP, with
QtMultimedia, without AirPcap.

Running on Mac OS X 10.12.1, build 16B2555 (Darwin 16.1.0), with locale C, with
libpcap version 1.7.4 - Apple version 67, with libz 1.2.8, with GnuTLS 2.12.19,
with Gcrypt 1.5.0.
Intel(R) Core(TM) i7-4980HQ CPU @ 2.80GHz (with SSE4.2)

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
Imagine a packet capture with a large number of TCP conversations.
Recently, I wanted to find all instances where a client or clients performed an
active TCP close.
Clearly, I can easily use existing filters to find ingress packets from said
client or clients that contain a FIN flag.
However, given closing a TCP connection involves exchanging a FIN flag in each
direction, it's currently difficult (impossible?) to distinguish between who
did an active and passive close using filters in Wireshark.
I am now exploring what can be done from the CLI using a combination of tshark
and other Linux utilities - or perhaps using PyShark.
I think this enhancement would fit nicely under the "tcp.analysis" set of
filters.


You are receiving this mail because:
  • You are watching all bug changes.