Wireshark-users: [Wireshark-users] Display filter for TCP reserved field
From: Marco Simone Zuppone <msz@xxxxxx>
Date: Wed, 29 Sep 2010 17:17:50 +0100
Hello,
 
I was wondering how is the best way (if any) to create a filter about the reserved ( 4 bits between bit 100 and 104 ) field of the TCP packet.
The _expression_ as tcp[n:y] ==   are interesting but n and y are expressed in byte and not in bit.
My idea was to create a filter to spot strange packet: thil 4 bit filed should be 0000 but I was wandering if some strange application is filling it with data...
Do you know some ways ??
 Thanks in advance.
 Marco S. Zuppone