I want to use a filter rule to capture only ack or syn packets. How do I do this?
Best Answer
The pcap filter syntax used for tcpdump should work exactly the same way on wireshark capture filter.
With tcpdump I would use a filter like this.
tcpdump "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"
Check out the tcpdump man page, and pay close attention to the tcpflags.
Be sure to also check out the sections in the Wireshark Wiki about capture and display filters. Unfortunately the two types of filters use a completely different syntax, and different names for the same thing.
If you wanted a display filter instead of capture filter you would probably need to build an expression combining tcp.flags.ack, and tcp.flags.syn. I am far more familiar with capture filters though, so you'll have to work that out on your own.
We had this exact same problem. Just disabling TCP timestamps solved the problem.
sysctl -w net.ipv4.tcp_timestamps=0
To make this change permanent, make an entry in /etc/sysctl.conf.
Be very careful about disabling the TCP Window Scale option. This option is important for providing maximum performance over the internet. Someone with a 10 megabit/sec connection will have a suboptimal transfer if the round trip time (basically same as ping) is more than 55 ms.
We really noticed this problem when there were multiple devices behind the same NAT. I suspect that the server might have been confused seeing timestamps from Android devices and OSX machines at the same time since they put completely different values in the timestamp fields.
Best Answer
The pcap filter syntax used for tcpdump should work exactly the same way on wireshark capture filter.
With tcpdump I would use a filter like this.
Check out the tcpdump man page, and pay close attention to the tcpflags.
Be sure to also check out the sections in the Wireshark Wiki about capture and display filters. Unfortunately the two types of filters use a completely different syntax, and different names for the same thing.
If you wanted a display filter instead of capture filter you would probably need to build an expression combining tcp.flags.ack, and tcp.flags.syn. I am far more familiar with capture filters though, so you'll have to work that out on your own.