This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

about filter

0

hi, if I use this filter tcp.flags.syn ==1 and tcp.flags.ack == 0 that search that those 2 conditions will be right on 1 segments? or search on tcp call (that can be few segment) that those 2 conditions will be right

for example.

if I get 2 segment from one ip, on first segment the syn flag=1, ack flag=0, on second segment syn flag=0 , ack flag=1

if I use this filter I need to see those 2 segment? or nothing? thanks

asked 01 Jun '16, 20:56

dvir1999's gravatar image

dvir1999
6112
accept rate: 0%

edited 01 Jun '16, 21:58

sindy's gravatar image

sindy
6.0k4851

One Answer:

0

I may have got your question wrong, but:

the display filter is evaluated for each packet (frame) separately, not for a set of packets related together (such as a UDP stream or a TCP session).

So in your example, you'd see the first "segment" (which matches your filter example), but not the second one.

answered 01 Jun '16, 21:57

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 01 Jun '16, 22:05