This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello, I'm learning how to use Wireshark and I need some help with my homework. I have to run wireshark on a file and filter on tcp traffic with both the S and F flags set (as well as any others). I'm using the filter: tcp.flags but I'm not sure if this is correct. Help please.

asked 01 May '16, 01:16

Ezra%20Nb's gravatar image

Ezra Nb
6112
accept rate: 0%


Well, it's partially correct. Filtering on TCP flags tells Wireshark to show all packets that have a TCP flag field - which any TCP packet will, so you'll see them all.

What you need to filter for is specific flags, in your case SYN and FIN. To not give it all away just like that, here's an example how you'd filter on a PSH flag:

tcp.flags.push==1

Which means "check if the Push flag is set". Filtering for just "tcp.flags.push" would again mean "check if there's a push flag field" (which there is, always). So you need to adapt the push filter for your SYN and FIN flag problem - good luck :-)

permanent link

answered 01 May '16, 04:15

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×9

question asked: 01 May '16, 01:16

question was seen: 7,214 times

last updated: 01 May '16, 04:15

p​o​w​e​r​e​d by O​S​Q​A