Let me start by prefixing my knowledge of Wireshark is very limited.
Context : I'm investigating logs between a server hosted files and an AV that supported ICAP protocol. In this logs I'm very interesting about the string :
Unable to read data from the transport connection: A connection attempt failed because the connected party did not properly respond after a period of time
I though a trace could be a good idea to investigate this logs so I'm using icap
flag to find all record about icap transaction.
As icap is based on the TCP/IP pile my question is :
Should I use
icap and tcp.analysis.flags
as a flag in Wireshark to find bad TCP packet?
Best Answer
There is no such thing as a bad TCP packet, unless you are expecting to find a packet corrupted on its way to your capture point, in which case the NIC might drop it before sending it up to the OS.
The string you've shared it just means one party tried to connect to the remote party and never received a response, so this is what you want to look for in Wireshark:
(Assume 1.2.3.4 is the client and 4.3.2.1 is the server)
You'll be left with a filter on a specific tcp stream and you might see this behaviour:
And you might never see a packet coming from 4.3.2.1 to 1.2.3.4;
Your real problem might be: