On Thu, Dec 15, 2011 at 12:00:55PM -0600, Prigge Scott wrote:
> Hi. Is there any way (on Windows) to configure the coloring rules or
> configuration so that the Colorize Conversation -> TCP option will
> exclude the three-way handshake, the teardown, and RST packets? I'd
> still like to see those colors display based on the coloring rules.
First disable the TCP SYN/FIN coloring rule, then modify the TCP
coloring rule to say something like "tcp && !(tcp.flags.syn == 1)" to
keep it from applying to packets with the SYN bit set. That takes care
of the first two parts of the three way handshake and can be expanded
upon. Do not to use rules like "tcp.flags.syn != 1" due to unintended
consequences.