how to customize the filter when following a stream in wireshark?

views:

answers:

how to customize the filter when following a stream in wireshark?

when selecting a packet and choosing to follow the stream, wireshark automatically sets a filter that looks something like this: (ip.addr eq 10.2.3.8 and ip.addr eq 10.2.255.255) and (udp.port eq 999 and udp.port eq 899). i'd like to be able to set that myself when following the stream, but have not been able to identify where to do that. setting the display filter has no effect. in fact, after following the stream, whatever display filter is currently set will be replaced by the follow stream formatted filter.

is customizing the follow stream filter even possible? thanks

Can't you just add whatever you like to the filter AFTER following the stream?

SamB 2010-03-31 21:50:07

i've tried this, but the after filter only gets applied to the actual data that was followed not the data in the packet header. my attempts at running a filter like (frame.time > x) after results in a closing of the followed data window after it finds nothing. i can see it highlighting the followed data as it searches (not the packet headers), so unless told otherwise, i'm presuming this is what's happening and why an after filter doesn't seem to work.

jim 2010-04-01 04:47:49

i should add, i've tried doing the filter before following, but it ignores the filter when following. so, if i run a filter like (frame.time > x) and get my subset of packets, and then follow the stream, it follows everything that came to that port regardless of my time filter.

jim 2010-04-01 04:54:17

ansaurus

tags:

views:

answers:

how to customize the filter when following a stream in wireshark?

related questions