need display filter to display tcp packets of non zero payload in wireshark

Question

i have a pcap which contains only tcp packets. now i want to see only those packets which have non zero payload length. can someone please let me know which display filter to use ? using

data.len or
tcp.pdu.size

doesnt help. please let me know the appropriate filter. Even

frame.length

wont suffice as headers may be of different length. so some sort of filter like tcp.payload_len is required. any help will be greatly appreciated. thanks.

devon.c.miller · Accepted Answer · 2012-08-31 17:59:08Z

4

What you want is tcp.len which is the length of the payload. I won't be populated when the frame contains no payload.

The full list of tcp attributes you can filter on is available here: http://www.wireshark.org/docs/dfref/t/tcp.html

answered Aug 31, 2012 at 17:59

devon.c.miller

2111 silver badge6 bronze badges

Add a comment |

Stack Exchange Network

need display filter to display tcp packets of non zero payload in wireshark

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
wireshark
.

Hot Network Questions

need display filter to display tcp packets of non zero payload in wireshark

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged wireshark.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
wireshark
.