 | 1 | initial version |
This display filter will show all the first captured packet per TCP stream: tcp.time_relative == 0
Thus including streams that were already active when the capture started.
For the last packets I don’t know a single display filter option. The most reliable would be the maximum value of tcp.time_relative per stream.
What comes close is filter on FIN or RESET tcp.flags & 5
And for a quick start-to-end impression, add SYN: tcp.flags & 7
But then the last ACK to FIN would be filtered out and of course none of the streams that remained active when the capture ended.
For small captures you can add the column tcp.time_relative and sort on the column tcp.stream.
An alternative would be to use tshark, sort on tcp.stream and frame.number and use some (awk) script to filter out first and last packets per stream.
