Coloring Rules

asked 2022-07-09 21:27:01 +0000

Hi, im im new to Wireshark and want to ask a Question about Coloring rules.

First: I filtered the PCAP Trace to see a specific Conversation between two IP adresses. For that i filtered the frame for a specific hex Code in the Payload: frame[430] ==80 && frame[431] == 01

This works fine. I dont want to filter for specific IP adresses because they can change. The Payload Message not.

So i have filtered all specific Frames. From (Source)A->(Dest)B From (Source)B->(Dest)A

My Issue:

I want a Coloring Rule that colorizes (Source)A->(Dest)B different to (Source)B->(Dest)A without selecting a specific IP. Is this possible?

Best regards, Bluescreen

Sorry for my bad English, i´m German ;D

answered 2022-07-10 12:02:44 +0000

SYN-bit

18344 ●9 ●301 ●255 https://SYN-b.it

If there is anything in the payload that indicates the direction of the traffic, than you could use that as you would have the same colors for client/server traffic regardless of the IP addresses.

If not, you could add ip.src<ip.dst to one coloring rule and ip.src>ip.dst to the second coloring rule, but than each IP pair will select the color for client traffic and server traffic individually. But within the session, you at least have a distinction between client and server traffic.

edit flag offensive delete link

Comments

If your protocol has port numbers and the server process is running on a low port, use something like tcp && tcp.srcport>tcp.dstport for the client and tcp && tcp.srcport<tcp.dstport for the server.

Why are some TCP conversations shown backwards/reversed?

Chuckc ( 2022-07-11 00:19:48 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Coloring Rules

1 Answer

Comments

Your Answer

Question Tools

Stats

Coloring Rules edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Coloring Rules