Re: Colorize Conversation - except for SYN/FIN

[Stephen Fisher <steve () stephen-fisher com>]

On Thu, Dec 15, 2011 at 12:00:55PM -0600, Prigge Scott wrote:

> Hi. Is there any way (on Windows) to configure the coloring rules or 
> configuration so that the Colorize Conversation -> TCP option will 
> exclude the three-way handshake, the teardown, and RST packets? I'd 
> still like to see those colors display based on the coloring rules.

First disable the TCP SYN/FIN coloring rule, then modify the TCP 
coloring rule to say something like "tcp && !(tcp.flags.syn == 1)" to 
keep it from applying to packets with the SYN bit set.  That takes care 
of the first two parts of the three way handshake and can be expanded 
upon.  Do not to use rules like "tcp.flags.syn != 1" due to unintended 
consequences.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe