One of the ways you can isolate a series of packets within Wireshark is by marking them. When we mark the packets, Wireshark will modify the packet to have a black background with white text. Once we mark them, we'll filter according to the marked packets to focus in on the handshake.

In the file, we'll identify the handshake by marking the packets. We know that to begin a session, TCP starts with a handshake that uses three packets as follows:

• The client sends a SYN packet to the server.
• The server responds by sending a SYN ACK packet.
• The client sends a final ACK packet.

Once the handshake is complete, the data flow begins.

Wireshark will identify the three-way handshake and the exchange of packets by showing the transaction details in the info column, (if you have this column header active). In the capture Flow312.pcapng, packets 1, 2, and 3 represents handshake. 

Once the handshake is identified, we'll mark each of the three packets. To mark the packets, select each of the packets and right-click the sub menu choice Mark/Unmark Packet as shown in the graphic:

Once you have marked the packet, the background will turn black and the text will be white, as shown here:

After that, we'll want to view only the marked packets by entering frame.marked==1 in the display filter and pressing Enter. Clear the marks by going to Edit | Unmark all Displayed so that we can begin to dissect the handshake.

Now that we have singled out the three-way handshake. let's take a look at each of the three packets.