Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-dev: Re: [Wireshark-dev] Implementation of Morphing Display filters on the fly ....

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: "Purandhar Krishnamurthy" <purandhar.krishnamurthy@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 1 Jun 2007 09:09:57 -0400 (EDT)

Hello Luis Ontanon,

Thanks for the Link that you've sent. It was of great help.

Thanks,
Purandhar

> http://wiki.wireshark.org/Mate/Examples#head-024177fe669649345cc7c67b8eb227243d94c764
>
>
> On 5/31/07, Purandhar Krishnamurthy
> <purandhar.krishnamurthy@xxxxxxxxxxxxxxxxxxxx> wrote:
>> Hello,
>>
>>   I would like to create a conditional display filter.  When a filter
>> criteria is hit on one protocol I would like to change the display
>> filter so that it includes an OR'd reference to another protocol.
>>
>>
>> How can I update the wireshark code to modify a display filter on the
>> fly ?
>>
>> Problem Summary
>> ===============
>>
>> We are analysing packes for UMTS.
>>
>> First we are filtering based on IMSI/Subscriber identity.
>>
>> For example
>> Filter String - "radius._IMSI == 999999999998001"
>>
>> While we analyse/dissect packets, we update the filter string with
>> ip.addr
>> (Framed IP address, which we are getting in the Layer1 of Protocol as an
>> Attribute Value Pair)
>>
>> Updated filter string on the fly is :
>>
>>      "radius._IMSI == 999999999998001 || ip.addr == 10.166.104.151"
>>
>> Then we get list of packets, send and received by that subscriber.
>>
>> Then we apply another filter to get information for a particular PDP
>> context.
>>
>> Filter String - "radius._IMSI == 999999999998001 || ip.addr ==
>> 10.166.104.151"
>>
>> But we are not getting filtered list of packets. We are again getting
>> other packets for which IP Address doesn't matches also.
>>
>> Can anybody assist us,
>>
>> Thanks in advance,
>> Purandhar/Bhowmick
>>
>>
>> _______________________________________________
>> Wireshark-dev mailing list
>> Wireshark-dev@xxxxxxxxxxxxx
>> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>>
>
>
> --
> This information is top security. When you have read it, destroy yourself.
> -- Marshall McLuhan
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
  • Prev by Date: Re: [Wireshark-dev] Parallel Redundancy Protocol (PRP) dissector
  • Next by Date: Re: [Wireshark-dev] [PATCH] Fix IPMI Completion Codes
  • Previous by thread: Re: [Wireshark-dev] Parallel Redundancy Protocol (PRP) dissector -> now disabled by default
  • Next by thread: Re: [Wireshark-dev] [PATCH] Fix IPMI Completion Codes
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation