On Thu, Aug 13, 2020 at 11:14 PM Jaap Keuter wrote:
>
> Hi Richard,
>
> The display filter engine has no concept of individual instances of a field,
> either it’s there in a packet or not and its value is used in the expression.
> Where it is in the packet and in what relation to other fields
There’s also a proposal to bring occurrence-matching to filtering in
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3791, but even if this were
to be implemented it would still have its limits since it would only match
packets where the occurrence was the same for all packets, which isn’t
tshark has the "-E occurrence=f|l|a" option to print the *f*irst, *l*ast or
*a*ll occurence of the field in a packet but that is only filtering the
output when using -T fields, not matching packets.
On Fri, 14 Aug 2020 at 07:14, Jaap Keuter wrote:
> Hi Richard,
>
> The display filter engine has
Hi Richard,
The display filter engine has no concept of individual instances of a field,
either it’s there in a packet or not and its value is used in the expression.
Where it is in the packet and in what relation to other fields in a display
filter expression is of no concern of the display
Hi folks,
I faced an interesting problem recently.
I was typing to find a particular tagged item with a tag length
greater than a specific size.
This presented a problem because many Wi-Fi packets have tagged fields
and a search filter like wlan.tag.number == X and wlan.tag.length >=
some-value
