Wireshark-users: Re: [Wireshark-users] Launching a new window from Display filters

From: FS <bastiji@xxxxxxxxx>
Date: Sun, 21 Oct 2012 00:35:39 -0400
Sorry, sent by mistake before completing email. Rest of email below!

Thanks

On Sun, Oct 21, 2012 at 12:34 AM, FS <bastiji@xxxxxxxxx> wrote:


On Wed, Oct 10, 2012 at 1:17 PM, Christopher Maynard <Christopher.Maynard@xxxxxxxxx> wrote:
FS <bastiji@...> writes:

> Thank you for the replies. Both excellent suggestions. Here's another one for
you gurus then. Lets say I start with a 1 Gig capture file. I see a lot of
extraneous chit-chat which I want to completely eradicate and then look at the
rest of the streams left. I was thinking more of an option of choose a display
filter, and then an option to sort of "discard" the results of the filter and
focus on the rest of the capture/conversations.An example could be using a
display filter to filter out the broadcast/arp/multicast traffic, and then
analyze the leftover data. Again, this can be accomplished by saving the
resulting 'noise-free' capture, and then re-opening it to further dissect it,
but is there another way to do this?Many thanks for the responses so
far!Regards,Basti

You can apply a display filter, for example, "arp", then choose, "Edit -> Ignore
All Displayed Packets (toggle)".  This doesn't discard them, per se, but those
packets will no longer match any future display filters you might apply, as
Wireshark will now ignore them as if they were no longer present.

Ref: http://www.wireshark.org/docs/wsug_html_chunked/ChWorkIgnorePacketSection.html

Thank you. I got the opportunity to look at another packet capture utility a couple of days ago. The gentleman showed me some tricks around that (Omni-peek to be precise) and this is the feature that caught my eye instantly. When choosing x number of packets, and selecting "Select related to" or some such option, it presented with these four options:

- Hide selected packets
- Hide unselected packets
- Copy selected packets to another window
- Close

What can we do to get the third option in wireshark?

Thanks,
Basti Ji