This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

filtering tcp packet

0

I want to open an static web page and run wireshark. How can I filter the last packet which comes form that page? Is it true to use tcp.flag.fin?

asked 07 Mar '11, 23:12

A%20B's gravatar image

A B
1101012
accept rate: 0%

One Answer:

3

It could be using the fin bit, in which case you'd filter for tcp.flags.fin==1. Or it might use a reset flag, which would be filtered using tcp.flags.reset==1. Or both together, just to be sure: tcp.flags.fin==1 or tcp.flags.reset==1.

My approach would be slightly different than yours though: I'd search for the URL of the "GET" request (if it's not easy to spot right away), and then use the popup menu "Conversation Filter -> TCP". That way you get the whole communication, including the last packet, which is very easy to jump to.

answered 08 Mar '11, 10:43

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks,so helpful answer.

(08 Mar '11, 15:44) A B