Hi, As we know, we have lots of display filter based on tcp fields or wireshark specific fields. For example, tcp.analysis.flags. But I don't where to find the detailed explanation of this display filter. I can find the description here: http://www.wireshark.org/docs/dfref/t/tcp.html. But it still doesn't tell me what exactly does tcp.analysis.flags mean. This applies to all of the other display filters or fields. could anyone let me know how do you figure it out? thanks! asked 30 Dec '13, 18:57  SteveZhou edited 30 Dec '13, 18:58 |
One Answer:
In general you should approach this from another angle. If you start by understanding the protocol (by reading the relevant RFC, paper or website, eg. the TCP/IP guide) then the meanings of the fields become apparent. Wireshark adds to this in the form of additional field (so called generated fields, enclosed in square brackets), which express additional analysis of the protocol or session. It is these which you won't find in the RFCs, but should either be described in the Wiki, the Users Guide, or in books (like from WiresharkU). Since we are engineers first, authors second, the documentation lacks here. If you understand source code, you can always go back to the source and read the code that creates these fields (Pro tip: that's what we do when confronted with such questions). In this case the (generated) field you mentioned is created when one of the (generated) analysis fields is created. So then it can be used as a generic marker to filter packets which have something noteworthy that triggered the creation of a TCP analysis field. answered 02 Jan '14, 15:26  Jaap ♦ |
That's right! Thanks a lot!