Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] display filter on a field that appears more than once in a messa

From: Andrew Schweitzer <a.schweitzer.grps@xxxxxxxxx>
Date: Wed, 06 Sep 2006 20:30:15 -0400
I have a field which can appear more than once in a message. When it appears only once I seem to have no trouble filtering on it. When it appears more than once I seem to getting the wrong results.

Maybe someone can explain what I'm doing wrong?

This is a customer dissector.

I have these fields:
-->header.msg_id: single_packet or multiple_packet -->payload.packet.a_field

If I search on

protocol.header.msg_id == single_packet and (payload.packet.a_field != 1 and payload.packet.a_field != 2)

everything works fine.

However, if I search on

protocol.header.msg_id == multiple_packet and (payload.packet.a_field != 1 and payload.packet.a_field != 2)

I seem to get any packet that is *either* a_field != 1 *or* a_field != 2

Any suggestions on how to fix? I assume it has to do with how I register these fields with wireshark in the dissector code.

Thanks

Andy