Re: Launching a new window from Display filters

[FS <bastiji () gmail com>]

On Wed, Oct 3, 2012 at 6:42 PM, Abhik Sarkar <sarkar.abhik () gmail com> wrote:

> If you already have a display filter applied and want to add more filters
> on to the results to narrow down the results, you could use one of the
> latter options from the "Apply as Filter" sub-menu from the Packet Details
> context menu.
>
> For example, in the attached screenshots, the display filter "tcp.stream
> eq 0" was already applied. I then chose to apply another filter onto that
> to narrow down the results further.
>
> HTH
> Abhik.
>
> On Tue, Oct 2, 2012 at 6:24 PM, FS <bastiji () gmail com> wrote:
>
> > Folks - My sincere thanks for a wonderful product which has saved the day
> > for me many times. There's one thing I haven't been able to do so far and I
> > thought asking the knowledgeable folks here might be a good idea. I did try
> > googling without any luck.
> >
> > The workflow of using wireshark, for me at least, is to open a capture,
> > focus in on a conversation and then try and use further filters to get the
> > information I'm looking for. Is there a way to launch a separate Wireshark
> > window instance with the results of the display filter, so within the new
> > window I can use further display filters to get the data I want. Currently
> > if the display filter doesn't show what I want, then I have to clear the
> > filter completely and re-type (or paste depending on circumstance) the
> > filters again and start afresh.
> >
> > I know I can save the displayed packets as a separate capture, and then
> > open it up, but hoping there is another better way to do it.
> >
> > Any help appreciated!
> >
> > Thanks,
> > Basti Ji
Thank you for the replies. Both excellent suggestions.

Here's another one for you gurus then. Lets say I start with a 1 Gig
capture file. I see a lot of extraneous chit-chat which I want to
completely eradicate and then look at the rest of the streams left. I was
thinking more of an option of choose a display filter, and then an option
to sort of "discard" the results of the filter and focus on the rest of the
capture/conversations.

An example could be using a display filter to filter out the
broadcast/arp/multicast traffic, and then analyze the leftover data. Again,
this can be accomplished by saving the resulting 'noise-free' capture, and
then re-opening it to further dissect it, but is there another way to do
this?

Many thanks for the responses so far!

Regards,
Basti

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe