Re: How can Wireshark improve

[Richard Sharpe <realrichardsharpe () gmail com>]

On Sat, Apr 19, 2014 at 12:48 PM, Guy Harris <guy () alum mit edu> wrote:
> On Apr 19, 2014, at 12:24 PM, Richard Sharpe <realrichardsharpe () gmail com> wrote:
>
> > One think I would like to be able to do is "Show me all the SMB2
> > requests where the smb2.flags.is_response == true && smb2.nt_status !=
> > NT_STATUS_SUCCESS"
>
> Presumably you mean "show me all the SMB2 transactions (requests and matching responses) where the
> response returned an error".

Yes, although that was just an example. In other cases I would like to
see all the SMB Creates where the requested access == 0x120196 or
whatever ...

> There's now a mechanism to, when saving filtered packets, save "related" packets.  I think this was introduced to
> allow the earlier fragments/segments of a reassembled packet to be saved, along with the final packet that
> matched the filter, but in at least some cases somebody might want to save the requests corresponding to
> replies that match the filter.

Yeah, but then I want to be able to step through each of the packets
found and look at the one before or after, so I am continually hitting
clear and apply and so fort. It gets to be a pain, so then I thought
of the concept of having a search results pane that when you click on
one of the search results syncs the main pane so you can move around
and inspect more etc.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe