Wireshark-users: Re: [Wireshark-users] Colorize Conversation - except for SYN/FIN
From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 16 Dec 2011 18:34:17 +0100
On 16 dec 2011, at 17:26, Prigge Scott wrote:

>> Due to certain fields like ip.addr, in general it is not advisable to use
>> expressions of the form, "(field != value)".  Rather, using an expression of
>> the form, "!(field == value)", is preferred to avoid any unintended consequences,
>> and that is the reason the coloring rule is yellow instead of green.
> 
> This is my new filter after having read your feedback - this one is green.
> tcp.stream eq 7 && (!(tcp.flags & 0x02) || (!(tcp.flags.fin == 1)))


That filter will give the same result as "tcp.stream eq 7"

You would want to use any of the following:

tcp.stream eq 7 && !tcp.flags & 0x02 && !tcp.flags.fin == 1
tcp.stream eq 7 && !(tcp.flags.syn==1 || tcp.flags.fin==1)

Cheers,
Sake