Filter to all sockets/conversations matching at least one packet of the active display filter

edit

Hi,

I activate a display filter and get the matching packets displayed (maybe from hundreds of different tcp/udp sessions).
I can also export/save these packets to a new pcap-file for further analysis.

But I would like a possibility to not only get the packets which are matching my display filter into a new file. I want all tcp/udp-packets which are part of any session which have a least one packet matching the display filter.

Sample:

1. DisplayFilter matches DNS-ReponseTime > 2seconds (dns.time > 2)

2. maybe I get 191 DNS-response packets matching my display filter (having a response time greater than 2 seconds)

3. => now I want to filter to get all packets of these 191 conversations (here I would like to also get the corresponding dns-request packets for each conversation)

4. the "Apply as filter" within the "Conversations" view only allows to select one conversation at a time - so I would need to filter 191 times to get what I want

5. (same need would be also for tcp conversations, etc.)

I my knowledge the only way to do this is with tshark by extracting the sockets (tcp-sourceport,tcp-destport,ip-src/dest-addresses) from the display filtered output. Then I would need to create any program or shell script which converts every socket information into a new filter string (with brackets around each socket and OR-statements). But this is really time-consuming and complex.

Maybe anybody knows another way.

A good implementation could be to allow the Wireshark users to select multiple sockets/conversations within "Statistics-Conversations (Limit to display filter)" window. But I expect that this functionality does not exist at the moment.

Maybe this can be handled as a new feature request for the Wireshark developers. ;-)

Regards, Chris