I needed to write a filter that correctly outputs only TCP packets, the obvious way, and the way written in wireshark is just tcp but when I tried it, it showed me also http, tls (as far as I understood everything that relies on TCP).
So my next try was tcp && !http && !ssl which is working correctly. But for sure can show some other protocols that rely on tcp and not included in my ! list.
What is the right way of restricting only to TCP?
Thanks David Schwartz, I really meant packets. The thing, I wanted to achieve – is only to display packets from TCP protocol.
May be I am really not able to express myself. I will try one more time using a picture.
Here is my filter tcp and in the column protocol see tls and something else. I do not want this to happen. So when I am using tcp && !http && !ssl it solves my problem, but can is there anything better?
Best Answer
As others mentioned, all these protocols are TCP. You can try !tcp.data which excludes packets with payloads, but even that is not 100% it seems. What are you trying to find? Just TCP handshakes? Perhaps there is a better solution if you can tell us what exactly you're looking for. With the filters you have been using, you are excluding SYN and ACKs so I'm assuming you're not looking for them. What's left? TCP is just a transport for higher level protocols, it doesn't really do anything by itself.