Re: Colorize Conversation - except for SYN/FIN

[Stephen Fisher <steve () stephen-fisher com>]

On Thu, Dec 15, 2011 at 11:11:40AM -0700, Stephen Fisher wrote:
> On Thu, Dec 15, 2011 at 12:00:55PM -0600, Prigge Scott wrote:
>
> > Hi. Is there any way (on Windows) to configure the coloring rules or 
> > configuration so that the Colorize Conversation -> TCP option will 
> > exclude the three-way handshake, the teardown, and RST packets? I'd 
> > still like to see those colors display based on the coloring rules.
>
> First disable the TCP SYN/FIN coloring rule, then modify the TCP 
> coloring rule to say something like "tcp && !(tcp.flags.syn == 1)" to 
> keep it from applying to packets with the SYN bit set.  That takes 
> care of the first two parts of the three way handshake and can be 
> expanded upon.  Do not to use rules like "tcp.flags.syn != 1" due to 
> unintended consequences.

I probably misunderstood you.  You want those packets to follow the 
usual coloring rules and not be changed when colorizing a single 
conversation, right?  I don't think that's possible; someone would need 
to change the code that colorize by conversation.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe