Ask Your Question

Revision history [back]

compound filter

I need to create a filter to see a particular event that occurs but I am finding it difficult since there are two packets that are always generated...

a frame.len==97 and TLSv1.2 is generated every second twice but it is also generated immediately after a frame.len==118 and TLSv1.2 is generated. I am interested to capture the combination of frame.len==118 and the frame.len==97 that immediately follows and ignore the rest of the frame.len==97 packets that either fall before frame.len==118 packet or otherwise.

Whenever a 118 packet is generated, a 97 follows it immediately within 0.02s.

Can anyone help with this particular filter?