Re: Filter change

[Rodrigo Guti <rgutierrez9 () gmail com>]

Thanks for the explanation, maybe I did not explain myself correctly. I just
do not want to see:

i.e.

 Filter: tcp.stream eq 2

I would like to see:

Filter: (ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port
eq 80 and tcp.port eq 2922)

I understand how a TCP connections looks like. I am just saying that
tcp.stream eq 2 is equal to do (ip.addr eq 97.65.22.235 and ip.addr eq
10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922)

I just prefer to see (ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99)
and (tcp.port eq 80 and tcp.port eq 2922) instead of tcp.stream eq 2.

In my previous Wireshark version, I got the extended (ip.addr eq
97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port
eq 2922). Now I just get tcp.stream eq 2.

It is just the view, I know that it is just the single connection. I just do
not know, how I can change or roll back to see (ip.addr eq 97.65.22.235 and
ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922) (this is
a filter example), instead of just tcp.stream eq X.

Hope this make sense.

Thanks!

2010/4/16 Guy Harris <guy () alum mit edu>

> On Apr 16, 2010, at 5:54 PM, Rodrigo Guti wrote:
>
> > Thanks for the reply, I am using Version 1.2.6, that bug is fixed in my
> version. This is what I would like to see in my filter box, on my previous
> version, after I do follow TCP stream, on the filter box, I got this:
> > Filter: (ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and
> (tcp.port eq 80 and tcp.port eq 2922)
> > But now, on my new code, after I do follow TCP stream, I got this:
> >
> > Filter: tcp.stream eq 2
> >
> > I am wondering if there is a way to get my old filter information
> displayed, like the one in my previous version.
> > I am not having any problem with my filters, it is just how the filter is
> displayed in the Filter box.
>
> The filter is displayed as what it *is*.  It really, truly, honestly is
> *NOT* checking for packets with particular IP source and destination
> addresses, and particular TCP source and destination ports, any more; it's
> checking for packets that the TCP dissector has marked as being part of a
> particular conversation.
>
> The IP addresses and TCP ports are used to mark the packet as being part of
> a particular conversation, but there can be *more than one* conversation
> corresponding to the *same* endpoints, as a given traffic capture might have
> host A, port AA, connecting to host B, port BB, exchanging some packets, and
> closing the connection, and then, after that, have A:AA connecting to B:BB,
> establishing a different TCP connection, and exchanging packets on *that*
> connection.
>
> "Follow TCP Stream" is supposed to deal with a *single* TCP connection, so
> it *cannot* be based purely on host and port numbers.
>
> > Please let me know if there is a way to modify that.
>
> No, and there never will be a way to change the filter that is used for
> "Follow TCP Stream" to be based on host and port numbers rather than
> conversation indices, as doing so would introduce a bug ("Follow TCP Stream"
> would no longer follow a single TCP connection).
>
> Why do you *want* the displayed filter to give host addresses and port
> numbers?  Is it because you want to know the host addresses and port numbers
> that particular TCP stream is using?  If so, we may be able to provide that
> information in another form.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe