Kyle Brandt

Asked: 2011-02-21 09:13:33 +0800 CST2011-02-21 09:13:33 +0800 CST 2011-02-21 09:13:33 +0800 CST

tcpdump filter for tcp zero window messages

Is there a pcap filter for TCPDump that will allow be to filter zero window messages?

I know how to filter these in a wireshark display filter (tcp.analysis.zero_window) but the amount of data I need to work with easily crashes wireshark (at least the 32 bit version) and breaking up the file and going through those captures is tedious.

Is there anyway to have a capture filter for TCP Zero Window Messages?

1 Answers

Voted

Best Answer

Khaled
2011-02-21T09:32:45+08:002011-02-21T09:32:45+08:00
I think it can be done using a filter like:

"tcp[14] = 0 && tcp[15] = 0"

The tcp[i] notation means the index i of TCP header. The window size is located after 14 bytes from TCP header. For more info, you can look at man pcap-filter.
7

tcpdump filter for tcp zero window messages

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?