Of the billion and a half display filters, here are a few useful ones for analyzing TCP packets. However, I won’t be updating it regularly, so check out Wireshark’s Documents to get the latest status of the display filters. On a side note, take a look at their complete display filters here.
Nevertheless, here are some that I will update based on how frequently I use them:
To display TCP packets that contain PUSH(PSH) flag:
tcp.analysis.push_bytes_sent
While this displays the packets that contain some form of data exchange between client and server, it wouldn’t remove the PSH packets that were retransmitted 😉
So, to clean the retransmitted packets off the capture, I’d use:
!tcp.analysis.retransmission
Take note of the exclamation used at the beginning.
Sometimes there could be some ACKed packets (more on that in another post coming up in a few light-years) that can be filtered using: !tcp.analysis.ack_lost_segment Then sort by Source IP, select client packets and export specified packets as client_to_source. Do not forget to select “Selected Packets”. Repeat the same for server_to_client.
Of course, when a client_to_server or server_to_client capture is opened, it does show packets with missing segment flags like TCP Previous segment not captured but it’s naturally not crucial if the analysis is just for reading the data off the session(s).
The quickest way to read the packets off a transmission is to simply follow the TCP stream and copy the data with formatting to help differentiate client & source packets.
Comments