Wireshark

**Date** **Thread**

james hanley wrote:

-------------------
The Ethereal project is being continued at a new site.  Please go to
http://www.wireshark.org and subscribe to wireshark-users@xxxxxxxxxxxxxx
Don't forget to unsubscribe from this list at
http://www.ethereal.com/mailman/listinfo/ethereal-users
-------------------

------------------------------------------------------------------------

1)
how do I say OR ?
AND is &&

for example, I want to say

tcp.dstport != 3389 "OR" tcp.srcport != 3389

The same way you do in Wireshark, as per the above, so I'm redirecting

this to the wireshark-users list.

In Wireshark, just as AND is &&, OR is...

...||.

2)

how do I see only the initial connections? and just incoming or just

outgoing?

is there an easier way than this? (i'm not even sure if this is right)

my ip is 192.168.0.2

for incoming-

tcp.flags.syn == 1 && tcp.flags.ack==0 && ip.src != 192.168.0.2

That's the correct filter to see attempts by other machines to connect

to your machine - it matches packets that have SYN set and ACK not set

(so it's the initial SYN) that are not coming from your machine.

for outgoing-
tcp.flags.syn == 1 && tcp.flags.ack==0 && ip.src == 192.168.0.2

Ditto.

No, there's no simpler expression (unless somebody's added a new field

to the TCP dissector while I wasn't watching).

Wireshark

Wireshark-users: Re: [Wireshark-users] [Ethereal-users] display filters, how do I say OR? and how do I see only the initial connections?