That is VERY INTERESTING.
Yes, it does work correctly.
The documentation says the default slice size is one, so technically I
should not have to spec it. That's why I didn't try it before you
mentioned it.
Thanks for the "nudge".
Chuck
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
j.snelders@xxxxxxxxxx
Sent: Tuesday, February 17, 2009 10:52 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] SYN Capture Filter issue
Hi Chuck Bland,
Does this capture filter do the job?
tcp[13:1]==2
Regards
Joan
On Tue, 17 Feb 2009 12:35:00 -0500 Bland Chuck-CNGR85 wrote:
>WS Version 1.0.5 (SVN Rev 26954)
>
>Capture Filter: "tcp[13] & 0x02 = 2" (no quotes)
>
>Attached: small capture file
> <<SYN Filter Test.pcap>>
>I get mostly SYN packets, but I also get more than a few DCERPC and
>TELNET packets that do not have the SYN flag set.
>
>When I examine each datagram, the TCP Flag field is always in the same
>place. In the case of the DCERPC and TELNET packets, the flag value is
>0x18, so it should fail the filter test.
>
>Is there an explanation or is this a bug in the filter?
>
>Chuck Bland
>
>
>
>Bijlage: SYN Filter Test.pcap
>
>_______________________________________________________________________
____
>Sent via: Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
>Archives: http://www.wireshark.org/lists/wireshark-users
>Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
>mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
________________________________________________________________________
___
Sent via: Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
