Solved

WireShark - Capture Filter - FIN packets only

Posted on 2010-11-10
2
1,902 Views
Last Modified: 2012-05-10
Hi All,

I'm troubleshooting a WAN Telnet disconnect problem that only occurs after 1-2 hours of inactivity.  The terminal emulation software vendor tells me I need to look for "FIN" packets for finding what device is terminating the connection.  Since there will be so much traffic in 1-2 hours, I'd like to just capture any packets that contain "FIN".

Can you help me with building the Capture Filter to accomplish this?

Thanks,
Dave
0
Comment
Question by:dsstao
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 14

Accepted Solution

by:
Otto_N earned 500 total points
ID: 34102485
'tcp[tcpflags] & tcp-fin != 0'  should do the trick (without the quotes, of course).

However, there can be quite a lot of TCP connections closing.  If you want to capture only packets to and from a particular host, add 'and host 10.10.10.1' to the capture filter.
0
 
LVL 1

Author Closing Comment

by:dsstao
ID: 34103671
Thank you, YDM
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Wildcard Certificate means all of your sub-domains will resolve to the same location, regardless of the non-SSL Document-Root specification. A user will need to purchase a wildcard SSL from a vendor or a reseller that supplies them. Similar to ha…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question