https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5844
--- Comment #13 from Sake <sake@xxxxxxxxxx> 2011-04-27 10:37:49 PDT ---
(In reply to comment #7)
> As for the second part of the issue, I have attempted to use the filter
> proposed in the "Filter:" field on the user interface and pressed "Apply" it
> had no affect for decoding. If there is some other location that I am supposed
> to use for setting up the filtering, please provide instructions or point me to
> the location in the documentation.
>
> I have attached a copy of the file that I am using to test your proposed work
> around. You can also generate one of your own using the original attachment.
No, indeed it will have no effect on the *decoding* problem (first half of your
bug-report), it only has effect on which packets get saved.
If you apply the filter "kerberos" you will see a few packets. Packet 43 is one
of them. If you do a "Save As..." with the filter "kerberos" active and select
"Displayed" only those few packets are saved. But if you look closely to packet
43, you will see that it is a reassembled PDU from packets 41,42 and 43:
[3 IP Fragments (3267 bytes): #41(1464), #42(1464), #43(339)]
[Frame: 41, payload: 0-1463 (1464 bytes)]
[Frame: 42, payload: 1464-2927 (1464 bytes)]
[Frame: 43, payload: 2928-3266 (339 bytes)]
So two packets that are needed for dissecting this PDU will not be in the
tracefile when using the filter "kerberos" before doing a "Save as...". If you
use the filter "ip.addr eq 10.32.161.25 and ip.addr eq 10.32.0.13" *before*
doing the "Save as...", frame 41 and 42 will be saved in the new file and
Wireshark will be able to dissect the packets as Kerberos also in the new file.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
