Once the three-way connection is established, the data is communicated by exchanging the segments and the PUSH
flag is set to indicate that the data flows on a connection as a stream of octets, as shown in the following figure:
Select packet#4 from the normal-connection.pcap
file as shown in the following screenshot; expand the TCP section in the Packet Details pane:
As you can see in the preceding screenshot:
tcp.flags.push = 1
.tcp.flags.ack =1
.414e495348204e415448204e4f524d414c20434f4e4e4543...
.(tcp.flags.ack == 1) && (tcp.flags.push == 1)
; that is, the [PSH,ACK]
flag indicates that the host is acknowledging receipt of some previous data and also transmitting some more data.The useful Wireshark display filters are:
data
: Displays the packet that contains the data information, for all IPs:data && ip.addr==10.0.0.221
: Displays a list of packets that have data and are exchanged with the given IP addresstcp.flags.push == 1
: Displays all PUSH
packetstcp.flags.push == 1 && ip.addr==10.0.0.221
: Displays PUSH
packets between hoststcp.flags == 0x0018
: Display all PSH, ACK
packetstcp.flags == 0x0011
: Displays all FIN, ACK
packetstcp.flags == 0x0010
: Displays all ACK
packets3.137.186.178