This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark 2.0.1 - I/O Graph not processing filters

0

I just finished a packet capture. I'm trying to save an I/O Graph with bandwidth usage information.

During the packet capture, I set some filters.

The view filter I set in the packet list view during capture is

ip.addr == 10.149.21.79 and !tcp.port == 22

The capture is taking place from a different host than 10.149.21.79, so there's a lot of other packets captured.

For the I/O Graph I'm trying to create of traffic coming from 10.149.21.79 I want to filter out all other traffic.

I created some filters to use in the I/O Graph tool (same ones worked in the previous version of Wireshark)

ip.addr == 10.149.21.79 and tcp.port == 5678
ip.addr == 10.149.21.79 and icmp
ip.addr == 10.149.21.79

And so on.

Even though the bandwidth usage is completely different between icmp traffic and the traffic I'm capturing from port 5678, the graph remains identical.

This issue started since I installed the new version 2.0.1 this morning.

I could try and set capture filters, but that would mean I have to perform three or more captures

Have there been changes in the filter mechanism or is this a bug?

asked 04 Jan '16, 00:50

amx's gravatar image

amx
6113
accept rate: 0%

edited 04 Jan '16, 00:52


One Answer:

0

Seems to work for me. I'm presuming you are using the Qt version, not the legacy GTK version?

Can you provide a capture file in a public share somewhere, e.g. Google Drive, Dropbox etc.?

answered 04 Jan '16, 02:53

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

I'm not 100% sure, but I checked the About section in Wireshark and it says it's compiled with QT.

https://www.hidrive.strato.com/lnk/34grm4j4

I included a capture with traffic between localhost and 10.149.21.79. there is 21% SSH traffic, but I still cannot exclude that traffic in the I/O graph

(04 Jan '16, 03:25) amx

Never mind.

This was a user error.

I did not check the columns correctly, and was filling in the display filter in the Name column.

Obviously it's working now.

(04 Jan '16, 03:42) amx

It was not a Wireshark problem, thanks for helping anyway Graham!

(04 Jan '16, 03:47) amx

I've created the graph showing the total traffic, icmp, port 5678 and ssh to\from the host. Looks OK to me.

IO Graph

(04 Jan '16, 04:04) grahamb ♦