# This file is automatically generated, DO NOT MODIFY.
"TRUE","InstaStream","tcp.stream == ${tcp.stream}","Instantly give me the TCP Stream for the packet I am on"
"TRUE","T.A.F.","tcp.analysis.flags","TCP Analysis Flags - TCP Issues?"
"TRUE","3WayHS//SYNonly","tcp.flags == 02","Just SYN Packets"
"TRUE","3WayHS//SYN-ACK","tcp.flags.syn == 1 && tcp.flags.ack==1","Just the SYN-ACK Packets"
"TRUE","3WayHS//All 3 Packets","tcp.flags.syn eq 1 or (tcp.flags eq 0x010 and tcp.len eq 0 and tcp.seq eq 1 eq tcp.nxtseq eq 1 and tcp.ack == 1)","All 3 packets of the TCP 3-way Handshake"
"TRUE","3WayHS//SYN-NoSACK","(tcp.flags.syn == 1) && !(tcp.options.sack_perm == 04:02)","SYN Packets with No SACK"
"TRUE","3WayHS//SYNorSYNACK","tcp.flags.syn == 1","Just SYN and/or SYN-ACK"
"TRUE","3WayHS//Unexpected Handshake Options//Server WinScale 1","tcp.options.wscale.multiplier eq 1 and tcp.flags.ack and tcp.flags.syn eq 1","SYN Packets with No SACK"
"TRUE","3WayHS//Unexpected Handshake Options//Server no SACK_Perm","tcp.flags.syn == 1 and tcp.flags.ack==1 and not tcp.options.sack_perm","SYN Packets with No SACK"
"TRUE","Timing//TCP Delta >.500","tcp.time_delta >.5 && tcp.flags.fin == 0 && tcp.flags.reset == 0 ","TCP Delta greater than half of a second. Removed FINs and RSTs."
"TRUE","Timing//Time Range","frame.time gt \x22Oct 18, 2018 12:50:00\x22 and frame.time lt \x22Oct 18, 2018 12:59:00\x22","Set the time/Date Range"
"TRUE","TCP Reset//Reset","tcp.flags.reset eq 1","TCP Resets"
"TRUE","TCP Reset//Reset Response to SYN","tcp.flags.reset==1 and tcp.seq in {0 1} and tcp.ack in {0 1}","Resets for Syn"
"TRUE","Retrans//Packet Loss//Retransmissions","(tcp.analysis.retransmission) && !(tcp.flags.fin == 1)","Goal - get a percentage in the status bar of packet loss.  FIN packets are filtered out because they don't matter if they are retransmitted, the conversation was already over. "
"TRUE","Retrans//Packet Loss//Spurious Retransmission","tcp.analysis.spurious_retransmission","The ACK for a packet was dropped so the Sender retransmitts. Wireshark has seen the transmission, ACK and retransmission so it marks it superfluous.  If the capture had been taken at the Sender, only the transmission and retransmission would be seen."
"TRUE","Retrans//Packet Loss//Server SYN/ACK Retransmit","(tcp.flags.syn == 1 and tcp.analysis.retransmission) && (tcp.flags.ack == 1)","Goal: How many times the server response to SYN has to be retransmitted. Is it normal packet loss or is it firewall drops?"
"TRUE","Retrans//Packet Loss or Dropped by Firewall//SYN Retransmission","(tcp.flags.syn == 1 and tcp.analysis.retransmission) && (tcp.flags.ack == 0)","Goal - does the clent have to retrans - is it normal loss, or server overload or firewall overload"
"TRUE","Retrans//Packet Loss or Dropped by Firewall//Handshake Retransmit SYN || SYNACK","tcp.flags.syn == 1 and tcp.analysis.retransmission","Retransmitted SYN Packets"
"TRUE","Win Size//Zero Window//Zero Window","tcp.analysis.zero_window","You can't send data if I tell you my window size is zero, you just have to back off and wait patiently until I send a Window Update.  Who is the source? It is their fault (either lack of resources or software not pulling up the data)."
"TRUE","Win Size//Zero Window//WinZero Recovery For Selected Stream","tcp.stream == ${tcp.stream} and (tcp.analysis.window_update or tcp.analysis.zero_window)","How long before the Window Update?"
"TRUE","Win Size//Zero Window//ZeroWindow Fault Isolation For Selected Stream","tcp.stream == ${tcp.stream} and (tcp.analysis.window_full or tcp.analysis.zero_window)","Look at the time between the window full and zero window. If it is microseconds, it is probably the application not taking the data and TCP is aware.  If it is 200 milliseconds or whatever the default TCP ACK Wait timer for your environment, it is probably a resource issue because TCP was not aware."
"TRUE","Win Size//Zero Window//ZeroWindow Fault Isolation","tcp.analysis.window_full or tcp.analysis.zero_window","Look at the time between the window full and zero window. If it is microseconds, it is probably the application not taking the data and TCP is aware.  If it is 200 milliseconds or whatever the default TCP ACK Wait timer for your environment, it is probably a resource issue because TCP was not aware."
"TRUE","Win Size//Zero Window//WinZero Recovery","tcp.analysis.window_update or tcp.analysis.zero_window","How long before the Window Update?"
"TRUE","Win Size//Small Window < 500","tcp.window_size lt 500 && tcp.window_size gt 0 && !tcp.window_size_scalefactor == -1 && tcp.flags.fin == 0 && tcp.flags.reset == 0","Window size smaller than 500 bytes"
"TRUE","Win Size//Small Window < 1000","tcp.window_size lt 1000 && tcp.window_size gt 0 && !tcp.window_size_scalefactor == -1 && tcp.flags.fin == 0 && tcp.flags.reset == 0","Window size smaller than 1000 bytes"
"TRUE","Win Size//Server WinScale 1","tcp.options.wscale.multiplier eq 1 and tcp.flags.ack and tcp.flags.syn eq 1","Servers should have higher scale factor than 1 - possible resource issue"
"TRUE","L2//ARP","arp","ARP Packets"
"TRUE","L2//STP","stp","Spanning Tree Packets"
"TRUE","L2//L2 Broadcasts","eth.addr == ff:ff:ff:ff:ff:ff","L2 Ethernet Broadcasts"
"TRUE","L2//OUI//Cisco OUI","eth.addr_resolved contains Cisco","Cisco OUI Packets"
"TRUE","L2//OUI//HP OUI","eth.addr_resolved contains Hewlett","CHewlett-Packard OUI Packets"
"TRUE","L3//IPv4 Only","ip","Show only IPv4 Packets"
"TRUE","L3//IPv4 Address","ip.addr == 192.0.2.1","Edit for a particular IP Address"
"TRUE","L3//Not this IPv4 Address","!(ip.addr == 192.0.2.1)",""
"TRUE","L3//HDR > 20 Bytes","ip.hdr_len > 20","IPv4 Packets with headers that are greater than 20 bytes"
"TRUE","L3//TTL < 8","ip.ttl < 8","IPv4 Packets with a TTL Value less than 8"
"TRUE","L3//IPv4 Fragments","(ip.flags.mf == 1) or !(ip.frag_offset==0)","IPv4 Fragment Packets"
"TRUE","L3//Not Best Effort","ip.dsfield.dscp > 0","IPv4 Packets that are not Best Effort QoS"
"TRUE","L3//Same Country IPv4","ip.geoip.country_iso == ${ip.geoip.country_iso}","Same Country as selected packet"
