Wireshark · Ethereal-users: RE: [Ethereal-users] How can I use Ethereal (0.10.13) to figure-outun-closed TCP connections

["Visser, Martin" <martin.visser@xxxxxx>]

The best tool I know to do this is "tcptrace" from http://www.tcptrace.org . If you run this on a standard pcap file , and use the "-l" switch  you should get what you want. (You get a lot of info from "-l" so just grep for what you want.)

 

For instance, I captured to "tcp.pcap" and then ran the following:-

 

marty@reepy:~$ tcptrace -l tcp.pcap | egrep "host|complete conn:"
        host a:        reepy:22
        host b:        192.168.0.101:4433
        complete conn: no       (SYNs: 0)  (FINs: 0)
        host c:        192.168.0.101:3917
        host d:        reepy:80
        complete conn: yes
        host e:        reepy:4195
        host f:        checkip.bos.dyndns.org:80
        complete conn: yes
        host g:        192.168.0.101:3921
        host h:        reepy:80
        complete conn: RESET    (SYNs: 2)  (FINs: 0)
        host i:        192.168.0.101:3920
        host j:        reepy:80
        complete conn: RESET    (SYNs: 2)  (FINs: 0)
        host k:        192.168.0.101:3927
        host l:        reepy:80
        complete conn: no       (SYNs: 2)  (FINs: 0)
        host m:        192.168.0.101:3943
        host n:        reepy:80
        complete conn: yes
        host o:        192.168.0.101:4016
        host p:        reepy:80
        complete conn: no       (SYNs: 2)  (FINs: 0)

 

Analysis of this gives :-

 

Conv. ab was already running when I started the capture (no SYNs) and hasn't finished yet

Conv. cd,ef,mn all finished normally

Conv. gh & ij have completed, but with a RESET (rather than a finish) from one end

Con. kl & op have started, but are yet to complete ( 2 SYNs but no FIN, or RESET yet)

 

Hope that helps,

 

Martin

 

 

 

Martin Visser, CISSP
Network and Security Consultant
Consulting & Integration
Technology Solutions Group - HP Services

410 Concord Road
Rhodes NSW  2138
Australia

Mobile: +61-411-254-513
Fax: +61-2-9022-1800    
E-mail: martin.visserAThp.com

This email (including any attachments) is intended only for the use of the individual or entity named above and may contain information that is confidential, proprietary or privileged. If you are not the intended recipient, please notify HP immediately by return email and then delete the email, destroy any printed copy and do not disclose or use the information in it.

 

---

From: ethereal-users-bounces@xxxxxxxxxxxx [mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Daniel Coudriet
Sent: Tuesday, 13 December 2005 3:55 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] How can I use Ethereal (0.10.13) to figure-outun-closed TCP connections

Hello all,

I am just starting using Ethereal for the purpose of checking that a given set of applications is actually closing each and every TCP connections it has opened and was wondering how, using Ethereal, I could figure-out which connections are left open after the applications have been stopped.

 

I figured-out I could try to first follow, then filter out each complete TCP stream involved and finally see how many (if any) open streams remain but it appears to be a (very) tedious process.

 

Hence my question about a possibly more efficient way to get that done using Ethereal 0.10.13.

 

Any suggestion shall be greatly appreciated.

 

Best regards,

 

--
Daniel Coudriet

 

P.S.: Could not find anything about this kind of use in the FAQ.

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.