This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter to detect start of TCP connections

0

I want to list the start of every TCP connection on a pcap file.

I know that in order to detect the end of the connection I can use this filter tcp.flags.fin eq 1 or tcp.flags.reset eq 1, because when a TCP connection is closed, the FIN flag or the RST flag are set.

But I can't seem to find what flags are set when a TCP connection is started.

Can anyone help me?

asked 08 Apr '16, 10:47

twistedx's gravatar image

twistedx
11225
accept rate: 0%

edited 08 Apr '16, 10:48

One Answer:

1

tcp.flags.syn==1

answered 08 Apr '16, 11:02

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Thank you!

(08 Apr '16, 11:08) twistedx

That filter will show the first two packets of the TCP handshake. Perhaps better, the following filter will show only the first packet of the handshake, the one that is actually requesting that a connection be established:

tcp.flags.syn==1 && tcp.flags.ack==0

(09 Apr '16, 18:49) Jim Aragon