Wireshark mailing list archives
Re: Filter change
From: Guy Harris <guy () alum mit edu>
Date: Fri, 16 Apr 2010 18:13:25 -0700
On Apr 16, 2010, at 5:54 PM, Rodrigo Guti wrote:
Thanks for the reply, I am using Version 1.2.6, that bug is fixed in my version. This is what I would like to see in my filter box, on my previous version, after I do follow TCP stream, on the filter box, I got this: Filter: (ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922) But now, on my new code, after I do follow TCP stream, I got this: Filter: tcp.stream eq 2 I am wondering if there is a way to get my old filter information displayed, like the one in my previous version. I am not having any problem with my filters, it is just how the filter is displayed in the Filter box.
The filter is displayed as what it *is*. It really, truly, honestly is *NOT* checking for packets with particular IP source and destination addresses, and particular TCP source and destination ports, any more; it's checking for packets that the TCP dissector has marked as being part of a particular conversation. The IP addresses and TCP ports are used to mark the packet as being part of a particular conversation, but there can be *more than one* conversation corresponding to the *same* endpoints, as a given traffic capture might have host A, port AA, connecting to host B, port BB, exchanging some packets, and closing the connection, and then, after that, have A:AA connecting to B:BB, establishing a different TCP connection, and exchanging packets on *that* connection. "Follow TCP Stream" is supposed to deal with a *single* TCP connection, so it *cannot* be based purely on host and port numbers.
Please let me know if there is a way to modify that.
No, and there never will be a way to change the filter that is used for "Follow TCP Stream" to be based on host and
port numbers rather than conversation indices, as doing so would introduce a bug ("Follow TCP Stream" would no longer
follow a single TCP connection).
Why do you *want* the displayed filter to give host addresses and port numbers? Is it because you want to know the
host addresses and port numbers that particular TCP stream is using? If so, we may be able to provide that information
in another form.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Filter change Rodrigo Guti (Apr 16)
- Re: Filter change Guy Harris (Apr 16)
- Re: Filter change Rodrigo Guti (Apr 16)
- Re: Filter change Guy Harris (Apr 16)
- Re: Filter change Rodrigo Guti (Apr 16)
- Re: Filter change Guy Harris (Apr 16)
- Re: Filter change Arvinder Virk (Apr 17)
- Re: Filter change Rodrigo Guti (Apr 19)
- Re: Filter change Rodrigo Guti (Apr 16)
- Re: Filter change Guy Harris (Apr 16)