On Feb 17, 2009, at 9:35 AM, Bland Chuck-CNGR85 wrote:
WS Version 1.0.5 (SVN Rev 26954)
Capture Filter: "tcp[13] & 0x02 = 2" (no quotes)
If I run your capture through
tcpdump -r /tmp/SYN\ Filter\ Test.pcap -w /tmp/foo.pcap 'tcp[13] &
0x02 = 2'
on my machine (Mac OS X 10.5.5), the resulting foo.pcap file is
shorter and contains only SYN segments.
On what version of what OS are you running Wireshark?
What version of libpcap/WinPcap does the About box (Help -> About
Wireshark) say Wireshark is using? (Both "compiled with" and "running
with".)