Wireshark mailing list archives
Re: Colorize Conversation - except for SYN/FIN
From: Chris Maynard <Chris.Maynard () gtech com>
Date: Fri, 16 Dec 2011 15:57:35 +0000 (UTC)
Prigge Scott <PriggeScottM@...> writes:
I'm a little embarrassed to admit that I seem to have found a way shortly after my initial post by
simply creating a new coloring rule
with the following expression: tcp.stream eq 7 && (!(tcp.flags & 0x02) || tcp.flags.fin != 1) which has my desired effect. However, the String field in the coloring rule is
yellow, and I'm also using the
expression you explicitly cautioned against (tcp.flags.fin != 1). I got those
flag expressions from the
built-in "TCP SYN/FIN" coloring rule. What is the concern with that expression?
Due to certain fields like ip.addr, in general it is not advisable to use expressions of the form, "(field != value)". Rather, using an expression of the form, "!(field == value)", is preferred to avoid any unintended consequences, and that is the reason the coloring rule is yellow instead of green. Read the "Gothas" section of http://wiki.wireshark.org/DisplayFilters for more information. - Chris ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Colorize Conversation - except for SYN/FIN Prigge Scott (Dec 15)
- Re: Colorize Conversation - except for SYN/FIN Stephen Fisher (Dec 15)
- Re: Colorize Conversation - except for SYN/FIN Stephen Fisher (Dec 15)
- Re: Colorize Conversation - except for SYN/FIN Prigge Scott (Dec 15)
- Re: Colorize Conversation - except for SYN/FIN Chris Maynard (Dec 16)
- Re: Colorize Conversation - except for SYN/FIN Prigge Scott (Dec 16)
- Re: Colorize Conversation - except for SYN/FIN Sake Blok (Dec 16)
- Re: Colorize Conversation - except for SYN/FIN Stephen Fisher (Dec 15)
- Re: Colorize Conversation - except for SYN/FIN Sake Blok (Dec 16)
- Re: Colorize Conversation - except for SYN/FIN Stephen Fisher (Dec 15)