Wireshark-bugs: [Wireshark-bugs] [Bug 13210] New: Feature request: improve the tcp.analysis filt
Bug ID |
13210
|
Summary |
Feature request: improve the tcp.analysis filter so it can find active or passive TCP close
|
Product |
Wireshark
|
Version |
2.0.7
|
Hardware |
x86-64
|
OS |
macOS 10.12
|
Status |
UNCONFIRMED
|
Severity |
Enhancement
|
Priority |
Low
|
Component |
Dissection engine (libwireshark)
|
Assignee |
bugzilla-admin@wireshark.org
|
Reporter |
girolimetti@gmail.com
|
Build Information:
Version 2.0.7 (v2.0.7-0-gdaac0f4 from master-2.0)
Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with
libz 1.2.5, with GLib 2.36.0, with SMI 0.4.8, with c-ares 1.12.0, with Lua 5.2,
with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP, with
QtMultimedia, without AirPcap.
Running on Mac OS X 10.12.1, build 16B2555 (Darwin 16.1.0), with locale C, with
libpcap version 1.7.4 - Apple version 67, with libz 1.2.8, with GnuTLS 2.12.19,
with Gcrypt 1.5.0.
Intel(R) Core(TM) i7-4980HQ CPU @ 2.80GHz (with SSE4.2)
Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information.
--
Imagine a packet capture with a large number of TCP conversations.
Recently, I wanted to find all instances where a client or clients performed an
active TCP close.
Clearly, I can easily use existing filters to find ingress packets from said
client or clients that contain a FIN flag.
However, given closing a TCP connection involves exchanging a FIN flag in each
direction, it's currently difficult (impossible?) to distinguish between who
did an active and passive close using filters in Wireshark.
I am now exploring what can be done from the CLI using a combination of tshark
and other Linux utilities - or perhaps using PyShark.
I think this enhancement would fit nicely under the "tcp.analysis" set of
filters.
You are receiving this mail because:
- You are watching all bug changes.