Filter TCP handshake packets

Overview:

Author: Diyaa
Published date: August 6th, 2024
Last updated: August 6th, 2024

This document explains how to filter only the TCP handshake packets of every TCP streams in a PCAP file with Wireshark.

I used the answer in the Wireshark forums link referenced here ¹ under References.

Filters:

IPv4 filter:

 ip && ((tcp[13]==02) ||  (tcp[13]==12) || (tcp.seq==1 && tcp.ack==1 && tcp.len==0 && tcp.window_size_scalefactor ge 0))

IPv6 filter:

 ipv6 && ((tcp[13]==02) ||  (tcp[13]==12) || (tcp.seq==1 && tcp.ack==1 && tcp.len==0 && tcp.window_size_scalefactor ge 0))

Demonstration In Wireshark:

Note

I added a column to show the TCP stream index. This is not the default view in Wireshark.

I can only see the first 3 packets in each TCP stream. This can be useful when trying to troubleshoot TCP problems with Wireshark.

Related Notes:

• Link to Home-Page.

References:

Footnotes

1. • Wireshark forums
   ↩