# This file is automatically generated, DO NOT MODIFY.
"TRUE","TCP\xe6\x8e\xa5\xe7\xb6\x9a\xe3\x82\x92\xe6\x8a\xbd\xe5\x87\xba","tcp.stream == ${tcp.stream}","\xe5\xad\x90\xe3\x81\xae\xe3\x83\x91\xe3\x82\xb1\xe3\x83\x83\xe3\x83\x88\xe3\x81\x8c\xe5\x90\xab\xe3\x81\xbe\xe3\x82\x8c\xe3\x82\x8bTCP\xe6\x8e\xa5\xe7\xb6\x9a\xe3\x82\x92\xe6\x8a\xbd\xe5\x87\xba\xe3\x81\x97\xe3\x81\xbe\xe3\x81\x99"
"TRUE","TCP\xe3\x81\xae\xe5\x86\x8d\xe9\x80\x81","(tcp.analysis.retransmission) && !(tcp.flags.fin == 1)","Goal - get a percentage in the status bar of packet loss.  FIN packets are filtered out because they don't matter if they are retransmitted, the conversation was already over. "
"TRUE","ACK\xe3\x82\x92\xe8\xbf\x94\xe3\x81\x97\xe3\x81\x9f\xe3\x83\x91\xe3\x82\xb1\xe3\x83\x83\xe3\x83\x88\xe3\x82\x92\xe5\x8f\x97\xe4\xbf\xa1","tcp.analysis.spurious_retransmission","The ACK for a packet was dropped so the Sender retransmitts. Wireshark has seen the transmission, ACK and retransmission so it marks it superfluous.  If the capture had been taken at the Sender, only the transmission and retransmission would be seen."
"TRUE","TCP\xe3\x82\xb5\xe3\x83\xbc\xe3\x83\x90\xe3\x81\xaeSYN/ACK\xe5\x86\x8d\xe9\x80\x81","(tcp.flags.syn == 1 and tcp.analysis.retransmission) && (tcp.flags.ack == 1)","Goal: How many times the server response to SYN has to be retransmitted. Is it normal packet loss or is it firewall drops?"
"TRUE","TCP\xe3\x81\xaeSYN\xe5\x86\x8d\xe9\x80\x81","(tcp.flags.syn == 1 and tcp.analysis.retransmission) && (tcp.flags.ack == 0)","Goal - does the clent have to retrans - is it normal loss, or server overload or firewall overload"
"TRUE","TCP\xe3\x83\x8f\xe3\x83\xb3\xe3\x83\x89\xe3\x82\xb7\xe3\x82\xa7\xe3\x83\xbc\xe3\x82\xaf","(tcp.flags == 0x010 && tcp.len == 0 && tcp.seq == 1 && tcp.nxtseq == 1 && tcp.ack == 1 && tcp.flags.ack == 1) || tcp.flags.syn == 1","All 3 pieces of the handshake.  The last ack has no additional flags or data, and the SEQ, NxtSEQ and ACK numbers must all be one.  Great to find retransmissions (red) in the handshakes. "
"TRUE","\xe9\x81\x85\xe5\xbb\xb6\xe3\x81\x8c500ms\xe4\xbb\xa5\xe4\xb8\x8a","tcp.time_delta >.5 && tcp.flags.fin == 0 && tcp.flags.reset == 0 ","TCP Delta greater than half of a second. Removed FINs and RSTs."
"TRUE","\xe3\x82\xa6\xe3\x82\xa4\xe3\x83\xb3\xe3\x83\x89\xe3\x82\xa6\xe3\x82\xb5\xe3\x82\xa4\xe3\x82\xba1260\xe6\x9c\xaa\xe6\xba\x80","tcp.window_size lt 1260 && tcp.window_size gt 0 && !tcp.window_size_scalefactor == -1 && tcp.flags.fin == 0 && tcp.flags.reset == 0",""
"TRUE","SYN\xe3\x81\xab\xe5\xaf\xbe\xe3\x81\x97\xe3\x81\xa6\xe3\x83\xaa\xe3\x82\xbb\xe3\x83\x83\xe3\x83\x88","tcp.flags.reset==1 and tcp.seq in {0 1} and tcp.ack in {0 1}","Resets for Syn"
"TRUE","\xe5\x95\x8f\xe9\xa1\x8c\xe3\x81\xae\xe3\x81\x82\xe3\x82\x8bTCP","tcp.analysis.flags",""
"TRUE","\xe3\x83\x8e\xe3\x82\xa4\xe3\x82\xba\xe3\x81\xaa\xe3\x81\x97","not (stp or cdp or lldp or ssdp or nbns or afp or arp or llmnr or mdns or udp.dstport in {17500})","Goal - filter out the noise - stp|cdp|lldp|ssdp|nbns|afp|arp|llmnr|mdns|DropboxSync"
"TRUE","\xe3\x83\x8e\xe3\x82\xa4\xe3\x82\xba\xe3\x83\x91\xe3\x82\xb1\xe3\x83\x83\xe3\x83\x88","stp or cdp or lldp or ssdp or nbns or afp or arp or llmnr or mdns or udp.dstport in {17500}","Goal - see the noise - stp|cdp|lldp|ssdp|nbns|afp|arp|llmnr|mdns|DropboxSync"
