Re: Filter change

[Rodrigo Guti <rgutierrez9 () gmail com>]

Hi Arvi and Guy,

Arvi, that was exactly what I was looking for. Guy thanks a lot for your
detail explanation.

Thanks!!!

2010/4/17 Arvinder Virk <arvinder.virk () gmail com>

> Rodrigo,
>
> There is in fact a very easy way of doing what you are asking for. Simply
> right-click on any packet, and go to "Conversation Filter" then "TCP". This
> should have the desired effect. (I am using Wireshark 1.2.7.)
>
> However, you should take heed of Guy's advice and note that there is a
> small chance that, with this filter, you are looking at more than one
> stream.
>
> Arvi
>
> On 17 April 2010 02:34, Guy Harris <guy () alum mit edu> wrote:
>
> > On Apr 16, 2010, at 6:21 PM, Rodrigo Guti wrote:
> >
> > > Thanks for the explanation, maybe I did not explain myself correctly. I
> > just do not want to see:
> > > i.e.
> > >
> > >  Filter: tcp.stream eq 2
> > >
> > > I would like to see:
> > >
> > > Filter: (ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and
> > (tcp.port eq 80 and tcp.port eq 2922)
> >
> > I.e., you want the Filter: box *NOT* to display the current display
> > filter, you want it to display something else.
> >
> > > I understand how a TCP connections looks like. I am just saying that
> > tcp.stream eq 2 is equal to do (ip.addr eq 97.65.22.235 and ip.addr eq
> > 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922)
> >
> > You may be saying that "tcp.stream eq 2" is equal to "(ip.addr eq
> > 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port
> > eq 2922)", but they are, in fact, *not* equal.
> >
> > "tcp.stream eq 2" is a *different* filter from "(ip.addr eq 97.65.22.235
> > and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922)",
> > even if the TCP conversation with a conversation index of 2 happens to be
> > between a host with an IP address of 97.65.22.235 and a host with an IP
> > address of 10.198.16.99, with the TCP port on one of those hosts being 80
> > and the TCP port on another of those hosts being 2922.  For example:
> >
> >        1) the traffic capture might have a TCP connection between
> > 97.65.22.235:80 and 10.198.16.99:2922 and a TCP connection between
> > 97.65.22.235:2922 and 10.198.16.99:80 - "tcp.stream eq 2" would show only
> > one of those connections (the one that "Follow TCP Stream" followed,
> > whichever one that happened to be), while "(ip.addr eq 97.65.22.235 and
> > ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922)" would
> > show both of them;
> >
> >        2) the traffic capture might have two separate TCP connections
> > between 97.65.22.235:80 and 10.198.16.99:2922 - "tcp.stream eq 2" would
> > show only one of those connections (the one that "Follow TCP Stream"
> > followed, whichever one that happened to be), while "(ip.addr eq
> > 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port
> > eq 2922)" would show both of them.
> >
> > If you believe the two filters are the same, you don't understand what
> > "tcp.stream eq 2" is doing.
> >
> > > It is just the view, I know that it is just the single connection. I
> > just do not know, how I can change or roll back to see (ip.addr eq
> > 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port
> > eq 2922) (this is a filter example), instead of just tcp.stream eq X.
> >
> > There is no way to do so; the fact that there is no way to do so is the
> > result of a fix to incorrect behavior in the previous Wireshark version that
> > you were using.  The fix changes the filter that "Follow TCP Stream" applies
> > to the packet trace, so that the filter selects only the packets that are
> > part of the TCP stream, without changing the Filter: box to, in that case,
> > display a filter *different* from the one that was actually applied.
> >
> > You cannot have the behavior you want except by either:
> >
> >        1) having Wireshark incorrectly filter the packets in a way that
> > could show packets that are *NOT* part of the TCP stream
> >
> > or
> >
> >        2) having Wireshark, in some cases, display in the Filter: box a
> > string that is *NOT* the filter that was applied to the display
> >
> > and *both* of those changes would introduce a bug into Wireshark, so
> > *neither* of those changes will be made to Wireshark.
> >
> > If you want Wireshark to display, somewhere, the IP address/TCP port
> > number pairs of the stream that you followed, we can do that.  We just
> > cannot do so *in the Filter: box* without introducing a bug into Wireshark.
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >             mailto:wireshark-users-request () wireshark org
> > ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe