Forum Discussion
Ray_Dodier_1102
Sep 27, 2010Nimbostratus
Not sure if this helps but I've been playing around with WireShark and found a few things that were helpful to me. The first was to get the TCP Stream Index numbers for streams of interest. Once I did the WireShark capture I'd enter the following WireShark filter to try to get the beginning of each sequence using -
tcp.flags == 0x02 and ip.addr == 192.168.11.21 or ip.addr == 192.168.11.27
This filters for the SYN flag and a given set of IPs
After applying the filter I expanded the TCP section in the middle pane of WireShark and then could click on each line in the top pane to get a list of Stream Indexes to look at. Once I had that I used the following WireShark filter to pull out just the SSL handshake packets for a given stream (i.e. say stream 36) -
tcp.stream eq 36 and ssl.handshake
If you Google "WireShark tips Delta Time" there was one on adding Delta Time to the columns that I found helpful.