tcpdump filter for tcp zero window messages

Question

Is there a pcap filter for TCPDump that will allow be to filter zero window messages?

I know how to filter these in a wireshark display filter (tcp.analysis.zero_window) but the amount of data I need to work with easily crashes wireshark (at least the 32 bit version) and breaking up the file and going through those captures is tedious.

Is there anyway to have a capture filter for TCP Zero Window Messages?

score 9 · Accepted Answer · answered Feb 20 '11 at 17:32

9

I think it can be done using a filter like:

"tcp[14] = 0 && tcp[15] = 0"

The tcp[i] notation means the index i of TCP header. The window size is located after 14 bytes from TCP header. For more info, you can look at man pcap-filter.

answered Feb 20 '11 at 17:32

Khaled

36,533
8
72
99

2

You can also match both bytes directly: `tcp[14:2] = 0`. – Gerald Combs Feb 21 '11 at 01:19

tcpdump filter for tcp zero window messages

1 Answers1