Wireshark-users: Re: [Wireshark-users] Launching a new window from Display filters
From: FS <bastiji@xxxxxxxxx>
Date: Wed, 10 Oct 2012 00:28:08 -0400


On Wed, Oct 3, 2012 at 6:42 PM, Abhik Sarkar <sarkar.abhik@xxxxxxxxx> wrote:
If you already have a display filter applied and want to add more filters on to the results to narrow down the results, you could use one of the latter options from the "Apply as Filter" sub-menu from the Packet Details context menu.

For example, in the attached screenshots, the display filter "tcp.stream eq 0" was already applied. I then chose to apply another filter onto that to narrow down the results further.

HTH
Abhik.

On Tue, Oct 2, 2012 at 6:24 PM, FS <bastiji@xxxxxxxxx> wrote:
Folks - My sincere thanks for a wonderful product which has saved the day for me many times. There's one thing I haven't been able to do so far and I thought asking the knowledgeable folks here might be a good idea. I did try googling without any luck.

The workflow of using wireshark, for me at least, is to open a capture, focus in on a conversation and then try and use further filters to get the information I'm looking for. Is there a way to launch a separate Wireshark window instance with the results of the display filter, so within the new window I can use further display filters to get the data I want. Currently if the display filter doesn't show what I want, then I have to clear the filter completely and re-type (or paste depending on circumstance) the filters again and start afresh.

I know I can save the displayed packets as a separate capture, and then open it up, but hoping there is another better way to do it.

Any help appreciated!

Thanks,
Basti Ji


Thank you for the replies. Both excellent suggestions.

Here's another one for you gurus then. Lets say I start with a 1 Gig capture file. I see a lot of extraneous chit-chat which I want to completely eradicate and then look at the rest of the streams left. I was thinking more of an option of choose a display filter, and then an option to sort of "discard" the results of the filter and focus on the rest of the capture/conversations.

An example could be using a display filter to filter out the broadcast/arp/multicast traffic, and then analyze the leftover data. Again, this can be accomplished by saving the resulting 'noise-free' capture, and then re-opening it to further dissect it, but is there another way to do this?

Many thanks for the responses so far!

Regards,
Basti