I discovered that some TCP sessions do not stop after [FIN ACK]. To calculate the real throughput, I have to exclude the packets being sent after [FIN ACK]. I am trying to design a filter to filter out packets after a certain time (or packet number) and before a certain time (or packet number). What should be the syntax of the filter? asked 31 Jul '13, 22:51  3mgold |
One Answer:
If you are using tshark use the below filter tshark -r trace.pcap -R "frame.number>500" frame.number > 500 will only show you packets after frame number 500 that is first 499 packets will not be shown to you else in wireshark you can put the above filter in filter window and apply answered 03 Aug '13, 10:27  RAVI_TANDON |
