Wireshark-users: Re: [Wireshark-users] color rule for pppoe packet

From: Sake Blok <sake@xxxxxxxxxx>
Date: Sun, 15 Oct 2006 19:28:27 +0200
On Sun, Oct 15, 2006 at 03:42:21PM +0200, Toralf F?rster wrote:

> I defined the rule "pppoe.code == 0xa7" (PPPoED Active Discovery Initiation) to color all packets like that packet 
> which I have attached onto this mail, but wirshark doesn't color the appropriate packets :-(

The packet in the tracefile that you attached has pppoe.code == 0x09 . Are
you sure you used the right filter for the coloring rule? Did you also check
whether there might have been another rule that might be hit first?

You can check whether your rule is hit by examining the Frame-details 
in the packet-details pane of wireshark. If you expand the frame
details, it will show you which coloring rule is active:

Frame 1 (32 bytes on wire, 32 bytes captured)
    Arrival Time: Oct 15, 2006 15:31:34.086582000
    [Time delta from previous packet: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Packet Length: 32 bytes
    Capture Length: 32 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:pppoed]
    [Coloring Rule Name: bailout]
    [Coloring Rule String: eth || sll]
Ethernet II, Src: Ibm_7b:2d:9b (00:0d:60:7b:2d:9b), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
PPP-over-Ethernet Discovery
PPPoE Tags

Here you can see that my rule 'bailout' was hit, even though I made
a coloring rule for pppoe.code == 0x09. You can move up your rule so
that it will be hit first.

Cheers,


Sake