How to Find Syn Packets without Syn Ack

by: George El., February 2019, Reading time: 1 minute

This post is based on a question on wireshark.org and all credit goes there to Kurt Knochner. I just thought it would be nice to test it.

So I launched wireshark and I tried to connect to 8.8.8.8 port 80, which I know it won’t reply. if you use as display filter “tcp.flags eq 0x02”, this will show only the packets with SYN flag set. In this case it is easy to see the retrasmission, but what if you had thousands of packets to check?

ftp control

The recommended way to identify these packets is to go to Statistics, Conversations, select the tcp tab, click the limit to display filter box in the bottom, and sort by packets.

ftp control

You see in the first row I have 3 packets, this is due to retrasmissions, and indicates that I sent a SYN and I didn’t get a SYN-ACK. Now in reality this can be a server issue, a firewall issue, or even a bad connection issue.

In any case, have a nice troubleshooting

comments powered by Disqus