Which filter should i apply to see 'test connection to port 5554 with 1 byte data' ? I have applied filter tcp.dstport==5554 && tcp.flags.push==1 && tcp.len == 1OR tcp.dstport==5554 && tcp.analysis.push_bytes_sent && tcp.len == 1 . Which filter is right ? Any more suggestions ? asked 20 Dec '16, 08:53  hacksorpratik |
One Answer:
If you know the data packet will be sent to port 5554 and you know it will have exactly one byte in the TCP data segment and you know the push bit will be set, then "tcp.dstport==5554 && tcp.flags.push==1 && tcp.len==1" should work. But before sending the data byte, the connection will need to be established, so why not start by just filtering on "tcp.port==5554" so you can see all the packets on the test connection? You can then add to your filter to narrow it down from there. If the testing system simply makes a connection, sends one data byte, and terminates the connection, then there won't be many packets and it will be easy to pick out the one-byte data packet. answered 20 Dec '16, 16:38  Jim Aragon |
