- Filter on a negation using
!(for example,!arpfilters out ARP packets). - To see SYN/ACK packets, filter with
tcp.flags.syn == 1 && tcp.flags.ack == 1. - To search within packets use the filter
frame contains "$TEXT_TO_SEARCH".
If you click on a field for a packet, the filter name is displayed in the lower left. (For example, TCP SYN packets are tcp.flags.syn.) You can automatically apply a filter (or “prepare” a filter, which lets you see the filter before it’s applied) by right-clicking on it and choosing “Apply as Filter” (or “Prepare as Filter”).
To see (suspected) retransmissions in Wireshark, filter for the tcp.analysis.retransmission flag. Some retransmissions may be “fast”, in that the packet is transmitted before the TCP timer would have expired. This happens when SACK is used, typically after a packet isn’t acknowledged in after three consecutive SACK blocks.