Wireshark · Wireshark-users: Re: [Wireshark-users] Finding the SYN packets with the HTTP(S) requests.

["Nejedlo, Mark" <Mark.Nejedlo@xxxxxxxxxxxxxx>]

You probably want tcp.flags.syn == 1.  Using tcp.flags the way you are requires that ALL flags match the bitmask exactly, while tcp.flags.syn ignores all flags but syn.

 

Mark

 

From: Wireshark-users [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Hugo van der Kooij via Wireshark-users
Sent: Wednesday, September 25, 2019 7:04 AM
To: Community support list for Wireshark
Cc: Hugo van der Kooij
Subject: [Wireshark-users] Finding the SYN packets with the HTTP(S) requests.

 

Hi,

 

I am trying to figure out a way to see the SYN packets that belong to the HTTP and HTTPS request I am looking into.

 

If I filter with “http.request || ssl.handshake.type == 1” I get a good view of the various webpages that are requested. But I see the TCP stream numbers are not in the expected order:

 

So I would like to see the SYN packets for each of these as well as they might explain my view.

 

It works for some of the connections with:

tcp.flags == 0x0002 || http.request || ssl.handshake.type == 1

 

But the examples above it failed to find the SYN packets.

 

I had to use:

tcp.flags == 0x0002 || tcp.flags == 0x00c2 || http.request || ssl.handshake.type == 1

 

To catch them all.

 

 

 ​

Hugo

van der Kooij

network engineer

+31 15 888 0 345

hugo.van.der.kooij@xxxxxxxxx

Delft | Delftechpark 35‑37

 

 

 The information transmitted is intended only for use by the addressee and may contain confidential and/or privileged
​ material. ​Any review, re‑transmission, dissemination or other use of it, or the taking of any action in reliance upon this
​ information ​by persons and/or entities ​other than the intended recipient is prohibited. If you received this in error,
​ please inform the sender and/or addressee immediately and delete the material. Thank you.