I would like to know if it possible to zero it on a packet capture by finding the the first syn ack and then find all sites associated with this.
asked 16 Oct '10, 12:35
When I want to find the first TCP SYN in a packet capture, I'll open the Find dialog ("CTRL+F" or Edit | Find Packet) and apply the following display filter:
This will bring you to the first TCP SYN packet in the packet capture. If you want a list of all the sites associated with this host (I'm not sure if you mean source or destination host), I right-click on the IP address in question and select Apply as Filter | Selected.
answered 19 Oct '10, 05:59