Wireshark · Wireshark-users: [Wireshark-users] Better way?

Wireshark-users: [Wireshark-users] Better way?

From: "Jeffrey Ross" <jeff@xxxxxxxxxx>

Date: Wed, 7 Mar 2007 09:45:51 -0500 (EST)

This is more for future edification as I already found a method that
worked (this time) to pull out the information I wanted, but is there a
better way?

I recently had an issue where I was receiving a large number of TCP
session initiation requests from an application server to my database
server.  In order to get the count per second I used the following display
filter:

(tcp.flags.syn eq 1 and tcp.flags.ack eq 0)

This showed me all the packets with only the initial syn and nothing else.
 I then looked at the starting source port noted that they increased
sequentially and then took the last port number subtracted the first from
the last and added 1 to get the total number of session requests in that
capture.  From there it was just divide that number by the total number of
seconds between the first and the last packets.

So my question is, is this the best way to do this, or is there a better way?

TIA, Jeff

Follow-Ups:
- Re: [Wireshark-users] Better way?
  - From: Hans Nilsson
- Re: [Wireshark-users] Better way?
  - From: Ed . Staszko

Prev by Date: Re: [Wireshark-users] Help with SSL Traffic decrypt / Analysis
Next by Date: Re: [Wireshark-users] Better way?
Previous by thread: Re: [Wireshark-users] FW: [tcpdump-workers] Help on Ethernet Size
Next by thread: Re: [Wireshark-users] Better way?
Index(es):
- Date
- Thread