 | 1 | initial version |
Maybe syslog message re-assembly is confusing you. When syslog messages are spanning multiple TCP segments, all the segmentw will be marked as TCP segment of a reassmbled PDU and only the last segment of the message will match the filter syslog. Re-assembly is enabled by default at the TCP layer, you can disable this with unchecking the TCP protocol preference Allow subdissector to reassemble TCP streams. This might improve your analysis.
If this was not the issue, please follow the suggestions of @grahamb :-)
