Hello, I'm learning how to use Wireshark and I need some help with my homework. I have to run wireshark on a file and filter on tcp traffic with both the S and F flags set (as well as any others). I'm using the filter: tcp.flags but I'm not sure if this is correct. Help please.
asked 01 May '16, 01:16
Well, it's partially correct. Filtering on TCP flags tells Wireshark to show all packets that have a TCP flag field - which any TCP packet will, so you'll see them all.
What you need to filter for is specific flags, in your case SYN and FIN. To not give it all away just like that, here's an example how you'd filter on a PSH flag:
Which means "check if the Push flag is set". Filtering for just "tcp.flags.push" would again mean "check if there's a push flag field" (which there is, always). So you need to adapt the push filter for your SYN and FIN flag problem - good luck :-)
answered 01 May '16, 04:15