Coloring Rules

Hi, im im new to Wireshark and want to ask a Question about Coloring rules.

First: I filtered the PCAP Trace to see a specific Conversation between two IP adresses. For that i filtered the frame for a specific hex Code in the Payload: frame[430] ==80 && frame[431] == 01

This works fine. I dont want to filter for specific IP adresses because they can change. The Payload Message not.

So i have filtered all specific Frames. From (Source)A->(Dest)B From (Source)B->(Dest)A

My Issue:

I want a Coloring Rule that colorizes (Source)A->(Dest)B different to (Source)B->(Dest)A without selecting a specific IP. Is this possible?

Best regards, Bluescreen

Sorry for my bad English, i´m German ;D

If there is anything in the payload that indicates the direction of the traffic, than you could use that as you would have the same colors for client/server traffic regardless of the IP addresses.

If not, you could add ip.src<ip.dst to one coloring rule and ip.src>ip.dst to the second coloring rule, but than each IP pair will select the color for client traffic and server traffic individually. But within the session, you at least have a distinction between client and server traffic.

18.5k

SYN-bit

answered 2022-07-10 12:02:44 +0000

edit flag offensive 0 remove flag delete link

Comments

If your protocol has port numbers and the server process is running on a low port, use something like tcp && tcp.srcport>tcp.dstport for the client and tcp && tcp.srcport<tcp.dstport for the server.

Why are some TCP conversations shown backwards/reversed?

Chuckc (2022-07-11 00:19:48 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Coloring Rules edit

Comments

1 Answer

Comments