Wireshark-users: Re: [Wireshark-users] Filter change

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 16 Apr 2010 18:34:04 -0700
On Apr 16, 2010, at 6:21 PM, Rodrigo Guti wrote:

> Thanks for the explanation, maybe I did not explain myself correctly. I just do not want to see:
> 
> i.e.
> 
>  Filter: tcp.stream eq 2
> 
> I would like to see:
> 
> Filter: (ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922)

I.e., you want the Filter: box *NOT* to display the current display filter, you want it to display something else.

> I understand how a TCP connections looks like. I am just saying that tcp.stream eq 2 is equal to do (ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922)

You may be saying that "tcp.stream eq 2" is equal to "(ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922)", but they are, in fact, *not* equal.

"tcp.stream eq 2" is a *different* filter from "(ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922)", even if the TCP conversation with a conversation index of 2 happens to be between a host with an IP address of 97.65.22.235 and a host with an IP address of 10.198.16.99, with the TCP port on one of those hosts being 80 and the TCP port on another of those hosts being 2922.  For example:

	1) the traffic capture might have a TCP connection between 97.65.22.235:80 and 10.198.16.99:2922 and a TCP connection between 97.65.22.235:2922 and 10.198.16.99:80 - "tcp.stream eq 2" would show only one of those connections (the one that "Follow TCP Stream" followed, whichever one that happened to be), while "(ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922)" would show both of them;

	2) the traffic capture might have two separate TCP connections between 97.65.22.235:80 and 10.198.16.99:2922 - "tcp.stream eq 2" would show only one of those connections (the one that "Follow TCP Stream" followed, whichever one that happened to be), while "(ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922)" would show both of them.

If you believe the two filters are the same, you don't understand what "tcp.stream eq 2" is doing.

> It is just the view, I know that it is just the single connection. I just do not know, how I can change or roll back to see (ip.addr eq 97.65.22.235 and ip.addr eq 10.198.16.99) and (tcp.port eq 80 and tcp.port eq 2922) (this is a filter example), instead of just tcp.stream eq X.

There is no way to do so; the fact that there is no way to do so is the result of a fix to incorrect behavior in the previous Wireshark version that you were using.  The fix changes the filter that "Follow TCP Stream" applies to the packet trace, so that the filter selects only the packets that are part of the TCP stream, without changing the Filter: box to, in that case, display a filter *different* from the one that was actually applied.

You cannot have the behavior you want except by either:

	1) having Wireshark incorrectly filter the packets in a way that could show packets that are *NOT* part of the TCP stream

or

	2) having Wireshark, in some cases, display in the Filter: box a string that is *NOT* the filter that was applied to the display

and *both* of those changes would introduce a bug into Wireshark, so *neither* of those changes will be made to Wireshark.

If you want Wireshark to display, somewhere, the IP address/TCP port number pairs of the stream that you followed, we can do that.  We just cannot do so *in the Filter: box* without introducing a bug into Wireshark.