Wireshark-dev: Re: [Wireshark-dev] Conversation filters
From: "Kukosa, Tomas" <[email protected]>
Date: Thu, 22 Nov 2007 16:29:52 +0100
Hi,

 >  Actually, what I suggested will only give one side of the
conversa\tion that you're interested in. However, 
 >  (ip.addr==ADDR1 and tcp.port==PORT1) and (ip.addr=ADDR2 and
tcp.port==PORT2)
 >  should do the trick.  

It is the original filter which matches both streams.

I am able to define filter manually, it is no problem, is has to be:
(ip.src==ADDR1 and tcp.srcport==PORT1 and ip.dst=ADDR2 and
tcp.dstport==PORT2) or
(ip.src==ADDR2 and tcp.srcport==PORT2 and ip.dst=ADDR1 and
tcp.dstport==PORT1)

But my questions are:
1) is there any shorter filter wich could be used
2) should not be this fiter cretaed with "conversation tools" (context
menu, conv. dialog) instead of current one which can filter two streams?
 
Tomas
 

 




Andy Lawman <[email protected]> 
To
	Developer support list for Wireshark
<[email protected]> 
cc
	
bcc
	
Subject
	Re: [Wireshark-dev] Conversation filters

	

	Andy Lawman <[email protected]> 

Please respond to : Developer support list for Wireshark
<[email protected]> 

Sent by: [email protected]   
21/11/2007 17:44





Try somthing along the lines of ip.src==ADDR1 and ip.dst=ADDR2 and
tcp.srcport==PORT1 and tcp.dstport==PORT2. 

So not a bug. 

Andy. 



"Kukosa, Tomas" <[email protected]> 

To
	<[email protected]> 
cc
	
bcc
	
Subject
	[Wireshark-dev] Conversation filters


	

	"Kukosa, Tomas" <[email protected]> 

Please respond to : Developer support list for Wireshark
<[email protected]> 

Sent by: [email protected]   
21/11/2007 17:11

	
	
	
	If I filter conversation from the context menu or the
Conversations dialog it crates filter in following way (or similar):
	ip.addr==ADDR1 and ip.addr=ADDR2 and tcp.port==PORT1 and
tcp.port==PORT2
	
	Unfortunaty it matches to two TCP streams
ADDR1:PORT1<->ADDR2:PORT2 and ADDR1:PORT2<->ADDR2:PORT1
	and if I have both of them in one file it is not easy to filter
them from conversations menu.
	
	Was it an intention or is it a bug?
	
	If it is a bug what another filter style should we generate?
	
	Regards,
	Tomas
	
	_______________________________________________
	Wireshark-dev mailing list
	[email protected]
	http://www.wireshark.org/mailman/listinfo/wireshark-dev
	
	
	
	
	
	IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended
only for the use of the addressee/s above.  It may contain information
which is privileged, confidential or otherwise protected from disclosure
under applicable laws.  If the reader of this transmission is not the
intended recipient, you are hereby notified that any dissemination,
printing, distribution, copying, disclosure or the taking of any action
in reliance on the contents of this information is strictly prohibited.
If you have received this transmission in error, please immediately
notify us by reply e-mail or using the address below and delete the
message and any attachments from your system. 
	
	Amadeus Services Ltd, World Business Centre 3, 1208 Newall Road,
Hounslow, Middlesex, TW6 2TA, Registered number
4040059_______________________________________________
	Wireshark-dev mailing list
	[email protected]
	http://www.wireshark.org/mailman/listinfo/wireshark-dev
	

	
	
	
	
	IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended
only for the use of the addressee/s above.  It may contain information
which is privileged, confidential or otherwise protected from disclosure
under applicable laws.  If the reader of this transmission is not the
intended recipient, you are hereby notified that any dissemination,
printing, distribution, copying, disclosure or the taking of any action
in reliance on the contents of this information is strictly prohibited.
If you have received this transmission in error, please immediately
notify us by reply e-mail or using the address below and delete the
message and any attachments from your system. 
	
	Amadeus Services Ltd, World Business Centre 3, 1208 Newall Road,
Hounslow, Middlesex, TW6 2TA, Registered number 4040059