[bugzilla-daemon@xxxxxxxxxxxxx]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6099

           Summary: Display filter using coloring rule name or string does
                    not display matching packets
           Product: Wireshark
           Version: 1.7.x (Experimental)
          Platform: x86
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: Medium
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: Jim@xxxxxxxxxxxxxxxxx


Build Information:
Version 1.7.0-SVN-37925 (SVN Rev 37925 from /trunk)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.22.1, with GLib 2.26.1, with WinPcap (version
unknown), with libz 1.2.5, without POSIX capabilities, without libpcre, with
SMI
0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.10.3,
with
Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built
Jul
 6 2011), with AirPcap.

Running on 32-bit Windows Vista Service Pack 2, build 6002, with WinPcap
version
4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.10.3, Gcrypt 1.4.6, with AirPcap 4.1.1 build
1838.

Built using Microsoft Visual C++ 9.0 build 21022
--
A display filter that filters on coloring rule names or strings will not
display packets that match the filter unless the matching packets are currently
visible in the packet list, or the display has been scrolled so that the
packets have been visible in the packet list at some point. It will not match
packets that are out of view and have never been scrolled into view.

This behavior is also seen in stable version 1.6.0.


TO RE-CREATE:

Create the following two coloring rules:

Rule Name: "S-Default IRC Ports"
String: "tcp.port == 6666 || tcp.port == 6667 || tcp.port == 6668 || tcp.port
== 6669"

Rule Name: "S-Christmas Tree Scan (FIN, PSH, URG)"
String: "tcp.flags==0x029"

Put these two coloring rules at the top of the list and give them a distinctive
color.

Download the trace file tcp-ack-scan.pcap from www.wiresharkbook.com. There are
9 packets in this trace file that match these two new coloring rules: 434, 851,
890, 1896, 1942, 1985, 3675, 3683, and 3691.

Load the trace file. Without scrolling the display, apply the following display
filter:

frame.coloring_rule.name contains "S-"

No packets will be displayed. Clear the display filter, and scroll down to or
past the point where packet 434 is visible in the packet list. Re-apply the
display filter. Packet 434 will now be displayed.

Clear the display filter, and scroll down to or past the point where packet 851
is visible in the packet list. Re-apply the filter. Packets 434 and 851 will be
displayed.

Click the "Reload this capture file" button, then re-apply the display filter.
No packets will be displayed. Clear the filter, click the "Go to the last
packet button." You will see three packets that match the "Christmas Tree Scan"
coloring rule--packets 3675, 3683, and 3691. Now click the "Go to the first
packet" button so that those three packets are no longer visible. Re-apply the
display filter. You will see those same three packets: 3675, 3683, and 3691.

Finally, clear the display filter and click "Reload" again. Apply the display
filter. No packets will be visible. Clear the display filter. Position your
mouse near the bottom of the vertical scroll bar and hold down the mouse button
until you've scrolled all the way from the first packet in the trace file to
the last packet. Re-apply the display filter. All 9 packets will be displayed.
Note: Don't just grab the slider and pull it down, otherwise some packets will
be missed.

This same behavior is seen when filtering on either the coloring rule name or
the coloring rule string, and when filtering using either the "contains"
operator or the "==" operator.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.