I'm trying to capture SOAP messages from tcp port. If I enter "tcp port 4040" as capture filter, the capture filter bar always stays red and I'm not able to start capturing messages. What am I doing wrong, any help? asked 12 May '16, 07:57 Sivapriya |
One Answer:
The capture filter will turn green when the syntax is valid AND an interface has been selected. If you have not set a default interface, then when you first start Wireshark, no interface is selected, so the capture filter will display in red. Simply click first on the interface(s) you want to capture on, and then enter your capture filter. answered 12 May '16, 19:37 Jim Aragon @Jim Aragon, I've withdrawn my answer that the behaviour you describe is a bug, but I still find it counter-intuitive. Showing a valid syntax in red is really confusing and doesn't give the user a clue what is actually wrong. Especially as there is just a single capture filter field whose contents changes depending on which interface is chosen, and if you choose several interfaces and each of them has a different capture filter setting, an explanatory text occurs in the capture filter field. This behaviour is a proof that doing it in a user-friendly way is possible. So instead of the red background appearing as late as when the user actually types into the field, I'd expect another explanatory text, asking to choose an interface first, to be shown in the capture filter field, locked against editing, until an interface is chosen. I'd not object against the field to be red as well, but it'd have to be red already before the user starts to type in. Want me to file a bug or is it enough like this? (13 May '16, 02:51) sindy @sindy, I agree that the current behavior is neither friendly nor intuitive. I'd go ahead and file an enhancement request. I think that the capture filter field should be red or green based solely on whether the text is valid or invalid capture filter syntax. I agree that a separate message should pop up if the user tries to start capturing with no interface selected. Note that in the current interface, if you enter the capture filter first and then select the interface, the capture filter will be cleared and you will have to enter it again. I think it would be better if you could select the interface either before or after entering the filter, without losing what was already entered. (13 May '16, 09:48) Jim Aragon I'd prefer to file a detailed suggestion as an enhancement request rather than a vague "make it better than it is now". So:
I agree with you that it would be the best option (least work lost at user side if they first fill in the filter and then choose an interface), but in this case, the information that capture is not possible until an interface is chosen would have to be rendered in a different way. By starting the capture by double-clicking an interface, you also select it so there is nothing to indicate; if you want to start the capture by pressing the Λ button, do you consider a pop-up window "No interface selected" to fit into the overall design concept of the Qt GUI? (13 May '16, 10:29) sindy I think a pop-up with "No interface selected" is exactly what we need. (13 May '16, 12:11) Jim Aragon |
Use tcp.port ==4040 in capture filter and start capture, if you need to capture specific SOAP messages
@Dinesh Babu Sadu, you mix together capture filter and display filter.
The syntax you've given (
tcp.port ==4040
) corresponds to display filter.