Wireshark-users: Re: [Wireshark-users] Filter change

From: Rodrigo Guti <rgutierrez9@xxxxxxxxx>
Date: Fri, 16 Apr 2010 19:21:00 -0600
Thanks for the explanation, maybe I did not explain myself correctly. I just do not want to see:

i.e.

 Filter: tcp.stream eq 2

I would like to see:

Filter: (ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922)

I understand how a TCP connections looks like. I am just saying that tcp.stream eq 2 is equal to do (ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922)

I just prefer to see (ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922) instead of tcp.stream eq 2.

In my previous Wireshark version, I got the extended (ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922). Now I just get tcp.stream eq 2.

It is just the view, I know that it is just the single connection. I just do not know, how I can change or roll back to see (ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922) (this is a filter example), instead of just tcp.stream eq X.

Hope this make sense.

Thanks!

2010/4/16 Guy Harris <guy@xxxxxxxxxxxx>

On Apr 16, 2010, at 5:54 PM, Rodrigo Guti wrote:

> Thanks for the reply, I am using Version 1.2.6, that bug is fixed in my version. This is what I would like to see in my filter box, on my previous version, after I do follow TCP stream, on the filter box, I got this:
>
> Filter: (ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922)
>
> But now, on my new code, after I do follow TCP stream, I got this:
>
> Filter: tcp.stream eq 2
>
> I am wondering if there is a way to get my old filter information displayed, like the one in my previous version.
>
> I am not having any problem with my filters, it is just how the filter is displayed in the Filter box.

The filter is displayed as what it *is*.  It really, truly, honestly is *NOT* checking for packets with particular IP source and destination addresses, and particular TCP source and destination ports, any more; it's checking for packets that the TCP dissector has marked as being part of a particular conversation.

The IP addresses and TCP ports are used to mark the packet as being part of a particular conversation, but there can be *more than one* conversation corresponding to the *same* endpoints, as a given traffic capture might have host A, port AA, connecting to host B, port BB, exchanging some packets, and closing the connection, and then, after that, have A:AA connecting to B:BB, establishing a different TCP connection, and exchanging packets on *that* connection.

"Follow TCP Stream" is supposed to deal with a *single* TCP connection, so it *cannot* be based purely on host and port numbers.

> Please let me know if there is a way to modify that.

No, and there never will be a way to change the filter that is used for "Follow TCP Stream" to be based on host and port numbers rather than conversation indices, as doing so would introduce a bug ("Follow TCP Stream" would no longer follow a single TCP connection).

Why do you *want* the displayed filter to give host addresses and port numbers?  Is it because you want to know the host addresses and port numbers that particular TCP stream is using?  If so, we may be able to provide that information in another form.