> Am 04.08.2014 um 23:16 schrieb Evan Huus <eapa...@gmail.com>:
>
>
>
>> On Aug 4, 2014, at 17:11, Roland Knall <rkn...@gmail.com> wrote:
>>
>>
>>
>>
>>> On Mon, Aug 4, 2014 at 10:40 PM, Evan Huus <eapa...@gmail.com> wrote:
>>> Right now you can't filter on field combinations that must appear
>>> "together" in one of those application frames: if fieldA appears in frame
>>> 1, and fieldB appears in frame 2, then that packet will match "fieldA &&
>>> fieldB" even if they never appear "together" in the way a normal human
>>> would intend. Being able to label each of those frames as a separate
>>> "record" would solve this problem.
>>
>> One thing to look out for here is the fact, that this may change behavior of
>> the display filters in a way, the end-user may never see coming. We would
>> have to come up with a syntax in wireshark, where we allow either "(fieldA
>> && fieldB)" meaning, record1.fieldA and record2.fieldB or fieldA and fieldB
>> in the same record. The end-user does not necessarily make that distinction.
>> If he simply selects frame fields, he may end up with display filters which
>> do not filter the intended or any packages, but he has no clue why simply
>> because the display filter interprets the syntax in a way the end-user could
>> not foresee.
>
> Yes, I was thinking some additional syntax like wrapping an expression in {}
> or something to indicate it should only match within a single record.
>
It should be the other way around. The new syntax should emphasize the fact
that it should match in different records, otherwise you are going to break
compatibility with the current usability.
>> On the rest, I see your point.
>>
>> regards,
>> Roland
>>
>> ___________________________________________________________________________
>> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
>> Archives: http://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>> mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
