Is there a way to show all packet captures for one site capture


I would like to know if it possible to zero it on a packet capture by finding the the first syn ack and then find all sites associated with this.

Can you give a little more explanation? I'm assuming you have a large packet capture and you're looking to find a session initialization (the SYN ACK). Once you find the pertinent session(s) you want to find all "sites"? This is the confusing part.

(19 Oct '10, 07:38) GeonJay

When I want to find the first TCP SYN in a packet capture, I'll open the Find dialog ("CTRL+F" or Edit | Find Packet) and apply the following display filter:

tcp.flags eq 0x02

This will bring you to the first TCP SYN packet in the packet capture. If you want a list of all the sites associated with this host (I'm not sure if you mean source or destination host), I right-click on the IP address in question and select Apply as Filter | Selected.


