Ask Your Question

Revision history [back]

Filter to all sockets/conversations matching at least one packet of the active display filter


I activate a display filter and get the matching packets displayed (maybe from hundreds of different tcp/udp sessions).
I can also export/save these packets to a new pcap-file for further analysis.

But I would like a possibility to not only get the packets which are matching my display filter into a new file. I want all tcp/udp-packets which are part of any session which have a least one packet matching the display filter.


  1. DisplayFilter matches DNS-ReponseTime > 2seconds (dns.time > 2)

  2. maybe I get 191 DNS-response packets matching my display filter (having a response time greater than 2 seconds)

  3. => now I want to filter to get all packets of these 191 conversations (here I would like to also get the corresponding dns-request packets for each conversation)

  4. the "Apply as filter" within the "Conversations" view only allows to select one conversation at a time - so I would need to filter 191 times to get what I want

  5. (same need would be also for tcp conversations, etc.)

I my knowledge the only way to do this is with tshark by extracting the sockets (tcp-sourceport,tcp-destport,ip-src/dest-addresses) from the display filtered output. Then I would need to create any program or shell script which converts every socket information into a new filter string (with brackets around each socket and OR-statements). But this is really time-consuming and complex.

Maybe anybody knows another way.

A good implementation could be to allow the Wireshark users to select multiple sockets/conversations within "Statistics-Conversations (Limit to display filter)" window. But I expect that this functionality does not exist at the moment.

Maybe this can be handled as a new feature request for the Wireshark developers. ;-)

Regards, Chris