Hi, My question's probably quite simple, but I'd like to frame it by explaining my situation first. I come from an environment that uses Citrix metaframe. A citrix session establishes itself on tcp port 1494 or 2598 by default. All activities utilise this single conversation, meaning screen drawing, mouse movements, clipboard copies, client-side drive mapping etc all occur within the same conversation. Screen redraws, mouse movements and keystrokes are all high priority activities compared to something like printing. Therefore, the first two bytes of the tcp data are not encrypted and contain information about the payload of the particular packet. From Cisco's description : The first two bytes of the packet (byte 1 and byte 2) contain the byte count and the ICA priority tag number. Byte 1 contains the low-order byte count, and the first two bits of byte 2 contain the priority tags. The other six bits contain the high-order byte count. I'd like to filter by the first two bits of the second byte of the tcp payload data. I am currently trying variations of the following display filter : (tcp[21] & 0xc0) == 0
This filter is rejected as invalid. Can anyone see what I'm doing wrong? Thanks Greg _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
