Correct way to show only TCP packets in wireshark

Question

I needed to write a filter that correctly outputs only TCP packets, the obvious way, and the way written in wireshark is just tcp but when I tried it, it showed me also http, tls (as far as I understood everything that relies on TCP).

So my next try was tcp && !http && !ssl which is working correctly. But for sure can show some other protocols that rely on tcp and not included in my ! list.

What is the right way of restricting only to TCP?

Thanks David Schwartz, I really meant packets. The thing, I wanted to achieve - is only to display packets from TCP protocol.

May be I am really not able to express myself. I will try one more time using a picture. enter image description here

Here is my filter tcp and in the column protocol see tls and something else. I do not want this to happen. So when I am using tcp && !http && !ssl it solves my problem, but can is there anything better?

First, I think you mean "packets", not packages. Second, HTTP packets *are* TCP packets. It would help if you could more precisely state what it is you want. — David Schwartz, Dec 21 '12 at 17:13
@SpacemanSpiff: That wouldn't filter anything out. Everything is either not HTTP or not SSL. (If it's HTTP, it's not SSL. If it's SSL, it's not HTTP. If it's neither HTTP nor SSL, it's not HTTP. So that test would allow every packet.) — David Schwartz, Dec 21 '12 at 17:14
too much coffee and no sleep... why not filter the CAPTURE on TCP only... then filter out HTTP and HTTPS traffic using a display filter — SpacemanSpiff, Dec 21 '12 at 17:16
"The thing, I wanted to achieve - is only to display packets from TCP protocol." You are. SSL and HTTP packets **are** packets from the TCP protocol. — David Schwartz, Dec 21 '12 at 17:37
What do you *expect* to see differently in Wireshark? Just the TCP packets for a *specific* application? If so, you'll need to know the port number it is communicating on and filter on that -- `tcp.port eq 10000` — jimbobmcgee, Dec 21 '12 at 19:40
to test for TCP you can use `ip.proto==6` since IP is the protocol that encapsulates TCP and if you look in wireshark you see it has a field 'protocol' that specifies if the encapsulated protocol is TCP, the code IP uses for TCP is 6. — barlop, Jan 14 '18 at 07:48

score 4 · Accepted Answer · answered Dec 28 '12 at 18:18

As others mentioned, all these protocols are TCP. You can try !tcp.data which excludes packets with payloads, but even that is not 100% it seems. What are you trying to find? Just TCP handshakes? Perhaps there is a better solution if you can tell us what exactly you're looking for. With the filters you have been using, you are excluding SYN and ACKs so I'm assuming you're not looking for them. What's left? TCP is just a transport for higher level protocols, it doesn't really do anything by itself.

SpacemanSpiff · Answer 2 · 2012-12-21T17:32:29.077

1

Use the built in capture filter to capture only TCP traffic.

edited Dec 21 '12 at 17:32

answered Dec 21 '12 at 17:19

SpacemanSpiff

8,753
1
24
35

so this is basically the same thing, as I mentioned, because I can not see the difference between: tcp && !http && !ssl and tcp && !(http or ssl) – Salvador Dali Dec 21 '12 at 17:21
Did you try, i don't know, playing with it? – SpacemanSpiff Dec 21 '12 at 17:22
David is quite right here, my regex skills suck for sure. – SpacemanSpiff Dec 21 '12 at 17:29
I tried and if just to open up boolean expression, you will see that – Salvador Dali Dec 21 '12 at 17:32

Correct way to show only TCP packets in wireshark

2 Answers2