TCP header filters

In UDP, the header structure is very simple—source and destination ports, packet length, and checksum. Therefore, the only significant information here is the port numbers.

TCP, on the other hand, is more complex, and uses connectivity and reliability mechanisms that can be monitored by Wireshark. Using tcp.flags, tcp.analysis, and other smart filters will help you with resolving performance problems (retransmissions, duplicate ACKs, zero-windows, and so on), or protocol operations issues such as resets, half-opens, and so on.

Common display filters in this category are as follows:

• tcp.analysis: For TCP analysis criteria such as retransmission, duplicate ACKs, or window issues. Examples for these filters are (you can use the autocomplete feature to get the full list of available filters):
  • tcp.analysis.retransmission to display packets that were retransmitted
  • tcp.analysis.duplicate_ack to display packets that were acknowledged several times
  • tcp.analysis.zero_window to display when a device on the connection end sends a zero-window message (which tells the sender to stop sending data on this connection until the window size increases again)

• tcp.flags: These filters are used for finding out if flags are set or not:
  • tcp.flags.syn == 1 to check if the SYN flag is set
  • tcp.flags.reset == 1 to check if the RST flag is set
  • tcp.flags.fin == 1 to check if the FIN flag is set
  • tcp.window_size_value < <value> to look for small TCP window sizes that are, in some cases, an indication of slow devices