I would like to know if it possible to zero it on a packet capture by finding the the first syn ack and then find all sites associated with this. asked 16 Oct '10, 12:35  eparl |
One Answer:
When I want to find the first TCP SYN in a packet capture, I'll open the Find dialog ("CTRL+F" or Edit | Find Packet) and apply the following display filter: This will bring you to the first TCP SYN packet in the packet capture. If you want a list of all the sites associated with this host (I'm not sure if you mean source or destination host), I right-click on the IP address in question and select Apply as Filter | Selected. -Josh answered 19 Oct '10, 05:59  joswr1ght |
Can you give a little more explanation? I'm assuming you have a large packet capture and you're looking to find a session initialization (the SYN ACK). Once you find the pertinent session(s) you want to find all "sites"? This is the confusing part.