I haven't found a good way to do this yet. Is there a way to filter out TCP sessions that have no payload? (Basically, sessions that have the 3-way handshake and then immediately close via FIN or RST that didn't actually transmit any meaningful data).
asked 04 Jan '12, 13:04
You could use tshark to create that filter for you :-)
To find all TCP packets with data, use:
... we're only interested in the ID's of the TCP sessions that contain data:
Then use some shell magic to create a list of all these session ID's:
... and transform it into a display filter:
You can then use that filter in Wireshark. Or you can create a new tracefile with only the sessions containing data in one run with:
Hope this helps!
answered 05 Jan '12, 03:33