Once the three-way connection is established, the data is communicated by exchanging the segments and the PUSH flag is set to indicate that the data flows on a connection as a stream of octets, as shown in the following figure:
Select packet#4 from the normal-connection.pcap file as shown in the following screenshot; expand the TCP section in the Packet Details pane:
As you can see in the preceding screenshot:
- The server is sending data to the client as shown in the packet.
- The server sets
tcp.flags.push = 1. - The server sets
tcp.flags.ack =1. - The server data is (29 bytes) and the data value is:
414e495348204e415448204e4f524d414c20434f4e4e4543.... - The server sets
(tcp.flags.ack == 1) && (tcp.flags.push == 1); that is, the[PSH,ACK]flag indicates that the host is acknowledging receipt of some previous data and also transmitting some more data.
The useful Wireshark display filters are:
data: Displays the packet that contains the data information, for all IPs:
data && ip.addr==10.0.0.221: Displays a list of packets that have data and are exchanged with the given IP addresstcp.flags.push == 1: Displays allPUSHpacketstcp.flags.push == 1 && ip.addr==10.0.0.221: DisplaysPUSHpackets between hoststcp.flags == 0x0018: Display allPSH, ACKpacketstcp.flags == 0x0011: Displays allFIN, ACKpacketstcp.flags == 0x0010: Displays allACKpackets
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.