"Wireshark capture filters are written in libpcap filter language."
"The following TCP flags field values are available: tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg, tcp-ece, tcp-cwr."
To select the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.
tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet
Is there a way to capture *only* TCP 3-way handshakes and nothing else? I've looked online and have not found anything. If that's not possible, then even capturing the initial SYN and the responding SYN/ACK would be enough for our purposes. We want to let WireShark run for several consecutive days and log all the TCP connections.
-Eric
Disclaimer : This email and any files transmitted with it are confidential and intended solely for intended recipients. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of Physician Select Management. Warning: Although Physician Select Management has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe