Wireshark-users: Re: [Wireshark-users] Colorize Conversation - except for SYN/FIN
From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Date: Thu, 15 Dec 2011 11:15:32 -0700
On Thu, Dec 15, 2011 at 11:11:40AM -0700, Stephen Fisher wrote:
> On Thu, Dec 15, 2011 at 12:00:55PM -0600, Prigge Scott wrote:
> 
> > Hi. Is there any way (on Windows) to configure the coloring rules or 
> > configuration so that the Colorize Conversation -> TCP option will 
> > exclude the three-way handshake, the teardown, and RST packets? I'd 
> > still like to see those colors display based on the coloring rules.
> 
> First disable the TCP SYN/FIN coloring rule, then modify the TCP 
> coloring rule to say something like "tcp && !(tcp.flags.syn == 1)" to 
> keep it from applying to packets with the SYN bit set.  That takes 
> care of the first two parts of the three way handshake and can be 
> expanded upon.  Do not to use rules like "tcp.flags.syn != 1" due to 
> unintended consequences.

I probably misunderstood you.  You want those packets to follow the 
usual coloring rules and not be changed when colorizing a single 
conversation, right?  I don't think that's possible; someone would need 
to change the code that colorize by conversation.