Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

tcp.flags.syn && http will match all TCP packets that are http protocol.
It is looking for the existance of tcp.flags.syn, not what state it is set to.

If you're looking to match SYN packets then the filter will be tcp.flags.syn ==1 && http but at that early stage in the conversation the protocol is not known so there will be no match on http.

If the http server is listening on the default port 80 then try this filter:

(tcp.flags.syn == 1 && tcp.port == 80)