On Thu, Dec 15, 2011 at 11:11:40AM -0700, Stephen Fisher wrote:
> On Thu, Dec 15, 2011 at 12:00:55PM -0600, Prigge Scott wrote:
>
> > Hi. Is there any way (on Windows) to configure the coloring rules or
> > configuration so that the Colorize Conversation -> TCP option will
> > exclude the three-way handshake, the teardown, and RST packets? I'd
> > still like to see those colors display based on the coloring rules.
>
> First disable the TCP SYN/FIN coloring rule, then modify the TCP
> coloring rule to say something like "tcp && !(tcp.flags.syn == 1)" to
> keep it from applying to packets with the SYN bit set. That takes
> care of the first two parts of the three way handshake and can be
> expanded upon. Do not to use rules like "tcp.flags.syn != 1" due to
> unintended consequences.
I probably misunderstood you. You want those packets to follow the
usual coloring rules and not be changed when colorizing a single
conversation, right? I don't think that's possible; someone would need
to change the code that colorize by conversation.