This is our old Q&A Site. Please post any new questions and answers at

I think it may be a naive question, but I also want to make sure of this; I'm wondering if this could affect pefromance of a tap or the program speed: I want to filter syn packets using(tcp.flags.syn==1), I know it is implicitly filter the tcp protocal, is there any need to mention the TCP protocol explicitly again inside the filter of the tap??

asked 05 Dec '12, 00:56

Leena's gravatar image

accept rate: 0%

edited 05 Dec '12, 04:53

Jasper's gravatar image

Jasper ♦♦

You mean, do you need to filter on "tcp.flags.syn==1 and tcp"? No, tcp.flags.syn==1 is enough in itself, it will only look at the packets containing the TCP protocol layer. Speed-wise I don't think it makes much difference to additionally specifiy "tcp" since the filter checks that anyway, so I guess it gets optimized anyway.

permanent link

answered 05 Dec '12, 01:23

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

Thanks alot

(05 Dec '12, 02:06) Leena

@Jasper: I want to be sure of this although I checked on it by trials on wireshark, I need to filter ipv4 and in the filter I have ip address in ipv4(ip.src==,so as the rule above it will implicitly filter the ipv4,right?? no need to write (ip) in the filter? Thanks a alot, and sorry to disturb you.

(09 Dec '12, 23:06) Leena

no, ip.src is enough to make sure the filter works. And you're not disturbing ;-)

(10 Dec '12, 01:32) Jasper ♦♦

@Jasper:Thanks a lot, but if I use (not ip.src== filter inbound traffic I should mention ipv4 in the filter explicitly,right?? I tried it with just a display filter in a pcap and packets with ipv6 still there.

(10 Dec '12, 12:19) Leena

which makes sense, because all you're saying is "do not show me ipv4 addresses of the network". You need to add "and not ipv6" to also remove ipv6 traffic. Or just go "ip and not ip.src==" to remove everything that is not IPv4 as well as the network you don't want.

(10 Dec '12, 12:32) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 05 Dec '12, 00:56

question was seen: 2,879 times

last updated: 10 Dec '12, 12:32

p​o​w​e​r​e​d by O​S​Q​A