You probably want tcp.flags.syn == 1. Using tcp.flags the way you are requires that ALL flags match the bitmask exactly, while tcp.flags.syn ignores all flags but syn.
Mark From: Wireshark-users [mailto:wireshark-users-boun...@wireshark.org] On Behalf Of Hugo van der Kooij via Wireshark-users Sent: Wednesday, September 25, 2019 7:04 AM To: Community support list for Wireshark Cc: Hugo van der Kooij Subject: [Wireshark-users] Finding the SYN packets with the HTTP(S) requests. Hi, I am trying to figure out a way to see the SYN packets that belong to the HTTP and HTTPS request I am looking into. If I filter with “http.request || ssl.handshake.type == 1” I get a good view of the various webpages that are requested. But I see the TCP stream numbers are not in the expected order: [cid:image001.png@01D57382.D49ADFC0] So I would like to see the SYN packets for each of these as well as they might explain my view. It works for some of the connections with: tcp.flags == 0x0002 || http.request || ssl.handshake.type == 1 But the examples above it failed to find the SYN packets. I had to use: tcp.flags == 0x0002 || tcp.flags == 0x00c2 || http.request || ssl.handshake.type == 1 To catch them all. [cid:image003.jpg@01D57382.D49ADFC0]<https://kpn.com/> Hugo van der Kooij network engineer +31 15 888 0 345 hugo.van.der.ko...@qsight.nl Delft | Delftechpark 35‑37 [cid:image005.png@01D57382.D49ADFC0] [cid:image007.jpg@01D57382.D49ADFC0]<https://twitter.com/kpnsecurity> [cid:image009.jpg@01D57382.D49ADFC0]<https://www.facebook.com/kpn> [cid:image011.jpg@01D57382.D49ADFC0]<https://www.linkedin.com/showcase/1429> [cid:image013.jpg@01D57382.D49ADFC0]<https://www.youtube.com/user/KPN> The information transmitted is intended only for use by the addressee and may contain confidential and/or privileged material. Any review, re‑transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. Thank you.
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe