Wireshark mailing list archives

Re: Finding the SYN packets with the HTTP(S) requests.

From: "Nejedlo, Mark" <Mark.Nejedlo () tdstelecom com>
Date: Wed, 25 Sep 2019 14:23:07 +0000

You probably want tcp.flags.syn == 1.  Using tcp.flags the way you are requires that ALL flags match the bitmask 
exactly, while tcp.flags.syn ignores all flags but syn.

Mark

From: Wireshark-users [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Hugo van der Kooij via 
Wireshark-users
Sent: Wednesday, September 25, 2019 7:04 AM
To: Community support list for Wireshark
Cc: Hugo van der Kooij
Subject: [Wireshark-users] Finding the SYN packets with the HTTP(S) requests.

Hi,

I am trying to figure out a way to see the SYN packets that belong to the HTTP and HTTPS request I am looking into.

If I filter with “http.request || ssl.handshake.type == 1” I get a good view of the various webpages that are 
requested. But I see the TCP stream numbers are not in the expected order:
[cid:image001.png@01D57382.D49ADFC0]

So I would like to see the SYN packets for each of these as well as they might explain my view.

It works for some of the connections with:
tcp.flags == 0x0002 || http.request || ssl.handshake.type == 1

But the examples above it failed to find the SYN packets.

I had to use:
tcp.flags == 0x0002 || tcp.flags == 0x00c2 || http.request || ssl.handshake.type == 1

To catch them all.

[cid:image003.jpg@01D57382.D49ADFC0]<https://kpn.com/>
Hugo

van der Kooij
network engineer
+31 15 888 0 345
hugo.van.der.kooij () qsight nl
Delft | Delftechpark 35‑37

[cid:image005.png@01D57382.D49ADFC0]

[cid:image007.jpg@01D57382.D49ADFC0]<https://twitter.com/kpnsecurity>

[cid:image009.jpg@01D57382.D49ADFC0]<https://www.facebook.com/kpn>

[cid:image011.jpg@01D57382.D49ADFC0]<https://www.linkedin.com/showcase/1429>

[cid:image013.jpg@01D57382.D49ADFC0]<https://www.youtube.com/user/KPN>
 The information transmitted is intended only for use by the addressee and may contain confidential and/or privileged
 material. Any review, re‑transmission, dissemination or other use of it, or the taking of any action in reliance 
upon this
 information by persons and/or entities other than the intended recipient is prohibited. If you received this in 
error,
 please inform the sender and/or addressee immediately and delete the material. Thank you.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Finding the SYN packets with the HTTP(S) requests. Hugo van der Kooij via Wireshark-users (Sep 25)
- Re: Finding the SYN packets with the HTTP(S) requests. Nejedlo, Mark (Sep 25)