Recently, Wireshark's function for setting a display filter on a conversation has changed. When I right-click on a packet, select Conversation Filter and select TCP, I now get "tcp.stream eq 12". In previous versions, I would instead get the more complicated filter limiting the IP address and TCP port numbers selected.
While this is not a problem for doing quick trace analysis using a single capture file, this is completely unsuitable when working with multiple simultaneous traces, where one was taken at the workstation side, another was taken at the server side, and a third was taken at the core switch using port mirroring. Using the old format, once you found an "interesting" conversation on the client side, you could easily jump to the server-side trace, paste in the same filter expression, and see the same trace data on the server side, thus seeing the flip side of the conversation (and if any packets were lost or mangled across the wire). With this "new" solution, if you first filter in one trace and get "tcp.stream eq 12", you cannot just paste the filter text into the other two trace files -- you have to actually go and find at least ONE of the packets from the desired trace and then select a new conversation filter there, which will be completely different.
Yes, I know that I can type it all in manually, but I try to use my time efficiently, and typing in numeric address and port data is simply not my idea of using my time effectively, especially with my fat fingers.
I tried delving into the Preferences, but came up empty. I then started digging through Advanced settings, searching on "convers", "filter", "display" and even "TCP", but couldn't find anything there, either. The only thing I DID find was that if I went to the Statistics/Conversations screen and THEN right-clicked on the TCP stream 12, and then selected Prepare as filter/Selected/A<->B, then this DID use the old format, giving me the data I needed of "ip.addr==192.168.11.148 && tcp.port==50130 && ip.addr==192.168.10.33 && tcp.port==3351". However, that's an awful lot of steps when it was working so easily before.
Any idea how to change the operation back to the old/useful way?