Some examples of filters in TCP/UDP filters are as follows:

• All packets to the HTTP server:
  • tcp.dstport == 80
• All packets from network 10.0.0.0/24 to HTTP server:
  • ip.src==10.0.0.0/24 and tcp.dstport == 80
• All retransmissions on a specific TCP connection:
  • tcp.stream eq 16 && tcp.analysis.retransmission

To isolate a specific connection, place the mouse on a packet on the connection you want to watch, right-click it, and choose Follow and TCP Stream. A TCP stream is the data that is transferred between the two ends of the transaction from the connection establishment to the tear-down. The string tcp.stream eq <value> will appear in the display filter window. This is the stream you can work on now. In the following example, it came out as stream 6, but it can be any stream number (starting from stream number 1 in the capture file):

Retransmissions are TCP packets that are sent again. This could be due to several reasons, as explained in Chapter 11, Transport Layer Protocol Analysis.

• All window problems on a specific connection:
  • tcp.stream eq 0 && (tcp.analysis.window_full || tcp.analysis.zero_window)
  • tcp.stream eq 0 and (tcp.analysis.window_full or tcp.analysis.zero_window)

• All packets from 10.0.0.5 to the DNS server:
  • ip.src == 10.0.0.5 && udp.port == 53
• All packets in TCP or protocols in TCP (for example HTTP) that contain the string cacti (case-sensitive):
  • tcp contains "cacti"
• All packets from 10.0.0.3 that are retransmitted:
  • ip.src == 10.0.0.3 and tcp.analysis.retransmission
• All packets to any HTTP server:
  • tcp.dstport == 80
• All connections opened from a specific host (if in the form of a scan, can be a warning):
  • ip.src==10.0.0.5 && tcp.flags.syn==1 && tcp.flags.ack==0
• All cookies sent from and to a client:
  • ip.src==10.0.0.3 && (http.cookie || http.set_cookie)