Wireshark-users: Re: [Wireshark-users] Colorize Conversation - except for SYN/FIN
From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Date: Thu, 15 Dec 2011 11:11:40 -0700
On Thu, Dec 15, 2011 at 12:00:55PM -0600, Prigge Scott wrote:

> Hi. Is there any way (on Windows) to configure the coloring rules or 
> configuration so that the Colorize Conversation -> TCP option will 
> exclude the three-way handshake, the teardown, and RST packets? I'd 
> still like to see those colors display based on the coloring rules.

First disable the TCP SYN/FIN coloring rule, then modify the TCP 
coloring rule to say something like "tcp && !(tcp.flags.syn == 1)" to 
keep it from applying to packets with the SYN bit set.  That takes care 
of the first two parts of the three way handshake and can be expanded 
upon.  Do not to use rules like "tcp.flags.syn != 1" due to unintended 
consequences.