Wireshark-users: Re: [Wireshark-users] Filter change

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 16 Apr 2010 18:13:25 -0700
On Apr 16, 2010, at 5:54 PM, Rodrigo Guti wrote:

> Thanks for the reply, I am using Version 1.2.6, that bug is fixed in my version. This is what I would like to see in my filter box, on my previous version, after I do follow TCP stream, on the filter box, I got this:
> 
> Filter: (ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922)
> 
> But now, on my new code, after I do follow TCP stream, I got this:
> 
> Filter: tcp.stream eq 2
> 
> I am wondering if there is a way to get my old filter information displayed, like the one in my previous version.
> 
> I am not having any problem with my filters, it is just how the filter is displayed in the Filter box.

The filter is displayed as what it *is*.  It really, truly, honestly is *NOT* checking for packets with particular IP source and destination addresses, and particular TCP source and destination ports, any more; it's checking for packets that the TCP dissector has marked as being part of a particular conversation.

The IP addresses and TCP ports are used to mark the packet as being part of a particular conversation, but there can be *more than one* conversation corresponding to the *same* endpoints, as a given traffic capture might have host A, port AA, connecting to host B, port BB, exchanging some packets, and closing the connection, and then, after that, have A:AA connecting to B:BB, establishing a different TCP connection, and exchanging packets on *that* connection.

"Follow TCP Stream" is supposed to deal with a *single* TCP connection, so it *cannot* be based purely on host and port numbers. 

> Please let me know if there is a way to modify that.

No, and there never will be a way to change the filter that is used for "Follow TCP Stream" to be based on host and port numbers rather than conversation indices, as doing so would introduce a bug ("Follow TCP Stream" would no longer follow a single TCP connection).

Why do you *want* the displayed filter to give host addresses and port numbers?  Is it because you want to know the host addresses and port numbers that particular TCP stream is using?  If so, we may be able to provide that information in another form.