tcpdump filter for tcp zero window messages

networking tcp tcpdump pcap wireshark

Is there a pcap filter for TCPDump that will allow be to filter zero window messages?

I know how to filter these in a wireshark display filter (tcp.analysis.zero_window) but the amount of data I need to work with easily crashes wireshark (at least the 32 bit version) and breaking up the file and going through those captures is tedious.

Is there anyway to have a capture filter for TCP Zero Window Messages?


I think it can be done using a filter like:

"tcp[14] = 0 && tcp[15] = 0"

The tcp[i] notation means the index i of TCP header. The window size is located after 14 bytes from TCP header. For more info, you can look at man pcap-filter.

Related

LVM: resize2fs not resizing
Amazon Ec2: Issue with Setting up FTP Server
Analyze HTTP logs, looking for iOS
Logging all the commands executed during a kickstart installation to file and screen
Is there a way to set access to WMI using GroupPolicy?
How might one mass kill connections to MySQL?
Reconstructing .bashrc from running session
Logging onto Windows local computer without local or network account
All connections from this network get stuck in SYN_RECV state, connections from my home or phone properly get ESTABLISHED
How to configure DNS server on domain controller
Returning A List Of Quoted Files Paths Using Find
What should I watch out for in building low-budget storage servers?