3

I have a huge pcap file which contains a large number of individual tcp streams.But out of these , there are some invalid streams which dont have the final fin/ack sequence. Is there any way i can find just these streams using wireshark ? Are there any other tools that let me search pcaps in this way?

Any help would be appreciated.

Improve this question
3
  • Are all they all definitely invalid? You can get unclosed sessions through normal behaviour, when people are involved at least.
    – Paul
    Commented Mar 19, 2012 at 10:01
  • at least in my scenario they are invalid . I am dealing with an IPS device that deals with these exact sequences. I need pin point the specific streams.
    – woodstok
    Commented Mar 19, 2012 at 10:12
  • 1
    I would do this this backwards, and use tcpdump to identify any streams that FIN-ACKed, then use grep to filter these from tcpdump output, then search the remainder for SYN-ACKs. But there may be a better way, so I'll wait for other suggestions.
    – Paul
    Commented Mar 19, 2012 at 13:05

2 Answers 2

Reset to default
1

The following command prints each incomplete half-connection. 

tcpdump -r pcap-file 'tcp[tcpflags] & (tcp-syn|tcp-fin) > 0' | 
sed -r 's/^.*IP (.*) > (.*):.*$/\1 \2/'|sort|uniq -u

The approach assumes that each socket pair is used only once during the entire trace.

Explanation

For a connection between

IP_A:PORT_A <--> IP_B:PORT_B

a tcpdump contains the halfs

IP_A:PORT_A > IP_B:PORT_B, and
IP_B:PORT_B > IP_A:PORT_A

For each half, the dump must contain two segments carrying a SYN or FIN flag. So, what the comand does is:

  1. Collect the segments that carry the SYN or FIN flag

    tcpdump -r pcap-file 'tcp[tcpflags] & (tcp-syn|tcp-fin) > 0

  2. Aggregate the result by half-connection, regardless of the actual flag (SYN or FIN)

    2.1. Sort by half-connection

    sed -r 's/^.*IP (.*) > (.*):.*$/\1 \2/'|sort

    2.2. Count the segments involved in each half-connection and filter out all half connections which correctly involve two segments

    uniq -u

Improve this answer
1

Here's another way of doing it using tshark. The idea is the same as the answer from @artistoex - the difference is that it doesn't look at each half-connection for itself, and the output is TCP stream number (from Wireshark/tshark) which might be easier to work with when you want to open that stream in Wireshark and continue to post process it there.

tshark -r pcap_file.pcap -R "tcp.flags & 0x03" -Tfields -etcp.stream | 
sort -n | uniq -c | awk -F ' ' '{ if ($1<4) print $1," ", $2 }'

The display filter does the same as the capture filter from the other answer, it uses the fact that the SYN and FIN bits are two of the least significant bits in the TCP flags field, so if both are set, that would be 0b11 or 0x3. AND-ing the tcp.flags field with 0x3 would give non-zero values if either flag is set.

tshark outputs the TCP stream number for each packet here. We sort them and count the unique numbers. The last step only prints the lines where the number of packet for this stream is less than 4 (1 SYN and 1 FIN for each half-direction).

Then you can open Wireshark with

wireshark -r pcap-file -R "tcp.stream eq 1234"

where 1234 is from the previous command.

Pretty? I guess not. Fast? No...

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .