This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is there a way to quickly get back to the previous filter after viewing TCP stream?

0

I analyze pcaps and their TCP streams, almost daily.

I apply my specific HTTP filter, sort them according to DNS names and then follow TCP stream for specific packet. But when I follow TCP stream of a packet, then wireshark applies another filter for this. When I close the TCP stream window then I get that TCP stream applied as my filter, and not my original filter.

To go back to my main filter, I have to scroll down or re-type(because the list only saves few recent filters, which get occupied by my followed TCP streams) the filter after each TCP stream. I have to repeat it again and again, which is very inconvenient and time consuming.

In the tool bar there is no back button that will take me to the filter I was viewing before the TCP stream, ideally there should be something like that, but I could not find any method.

So, is there a way to achieve it? If not then can I suggest wireshark to add such feature, because it'll be really helpful for those who are facing similar issue.

Wireskare version: 1.6.7 OS: Ubuntu 12.04 LTS

asked 04 Mar '15, 03:11

muntaha's gravatar image

muntaha
11115
accept rate: 0%

edited 04 Mar '15, 03:16


3 Answers:

1

I don't think there is a faster way of doing this with the Wireshark GUI. You could increase the recent filters in the drop down menu in the Preferences (in the "User Interface" section, there is a field for "Maximum recent filters"). Or you could go to the bug tracker and add a feature request for a "back button" like you described.

But maybe you should also look at non-GUI tools, e.g. scripting your tasks with tshark to extract certain things in a batch, and/or tcpflow to display similar content like the "follow TCP stream" feature.

answered 04 Mar '15, 03:23

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

1

Also note that if such a change was made, then it's likely to only be in the next version (1.99.x or 2.0.x), as we only back port bug fixes to the current (1.12.x) and previous (1.10.x) versions, so folks using a distro package such as that in Ubuntu 12.04 won't see these changes at all unless they install an up to date package from elsewhere that will probably have all other sorts of dependencies that 12.04 doesn't support.

(04 Mar '15, 03:32) grahamb ♦

0

Following is a workaround to get back to my main sorted http filter. It'll only work in the simple filter case and not in the complex cases:
When you are in TCP stream filter then click on button 'clear'. It has functionality 'clear this filter string and update the display'. You'll find this button in the row of filter field. It'll clear the tcp stream filter and take you back to sorted http stream.

Wireskare version: 1.6.7
OS: Ubuntu 12.04 LTS

answered 05 Mar '15, 06:01

muntaha's gravatar image

muntaha
11115
accept rate: 0%

edited 05 Mar '15, 06:41

1

not here, for me it just clears the filter completely. It does not go back to any previous filter automatically, on Wireshark 1.12.4.

(05 Mar '15, 06:15) Jasper ♦♦

@Jasper, thanks for observing it. I just rechecked the process, your observation is correct. Its the same scenario on wireshark 1.6.7 too. The result of 'clear' seemed to be my old filter because the packets were in sorted order, and filter was simple 'http'. After removing the tcp stream, I went back to the same packet and same sorted list. So, I have not found solution but a workaround for at least my requirements.

(05 Mar '15, 06:35) muntaha

Going to update this Q/A thread accordingly. Changed this answer from "solution" to "workaround".

(05 Mar '15, 06:37) muntaha

0

One other workaround is to use the "Save" button to save the current filter, it will create a new button on the display filter bar. This new button will apply the display filter that was used when the button was created. So after each "follow TCP stream" action, you can then press the new button.

To remove the button, you need to go to "Edit -> Preferences -> Filter Expressions".

(not sure though if the "Save" option was already available in 1.6.x)

answered 08 Mar '15, 05:00

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%