This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter for SYN, PSH and RST flags

0

Hey, I want to add to this question.

I'm actually trying to display the SYN flags using the display function from above, but I am also trying to display the PSH and RST flags at the same time.

This might be a stupid question, but how do I write a display function to combine all three of these?

asked 19 Sep '13, 10:40

RajTrivedi's gravatar image

RajTrivedi
1111
accept rate: 0%

converted to question 19 Sep '13, 14:22

grahamb's gravatar image

grahamb ♦
19.8k330206

Hm, is this what you want? "tcp[13]==14||tcp[13]==2" for all [RST,ACK] or [SYN] packets (Client only)
"tcp[13]==14||tcp[13]&2" for all [RST,ACK] or [SYN] or [SYN,ACK] packets

'A combination of all three of these: [SYN,RST,ACK] ? I think this is an invalid combination. How about opening a new thread to separate it from this already positively answered question

(19 Sep '13, 12:51) mrEEde

I've converted this to a question, please don't ask new questions as "answers" to an existing one.

(19 Sep '13, 14:23) grahamb ♦

One Answer:

0

Do you want a display filter which shows frames in which any of those 3 bits are set?

(tcp.flags.syn == 1) || (tcp.flags.push == 1) || (tcp.flags.reset == 1)

would do that.

A way to build up a filter like that is to look at the Flags section of a TCP fragment and then, for each bit you're interested in, right-click on the field for that bit and select "Prepare as filter" and then select "... or Selected". (You might need to change the value of what comes after the equals sign.)

answered 19 Sep '13, 14:32

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%