Wireshark-users: [Wireshark-users] Display filter: Compare fields?

From: <Andrew.Hadenfeldt@xxxxxxxxxx>
Date: Mon, 2 Oct 2006 22:42:07 -0500

According to the filter docs, it is possible to "compare fields against fields" but it doesn't seem to be true. For example:

  frame.pkt_len > frame.cap_len

or (closer to what I really want)

  frame.cap_len > frame.pkt_len+4

I've even tried some variations, e.g.:

  (frame.cap_len-frame.pkt_len)>4

without success. Have also attempted with capture filters, but that didn't work either (and I'd rather stick with display filters anyway). Same results in both Wireshark 0.99.3, Ethereal 0.10.13.

Is it possible to do this or is the documentation incorrect?

-Andy


******************************************************************************************
The information contained in this message, including attachments, may contain 
privileged or confidential information that is intended to be delivered only to the 
person identified above. If you are not the intended recipient, or the person 
responsible for delivering this message to the intended recipient, Alltel requests 
that you immediately notify the sender and asks that you do not read the message or its 
attachments, and that you delete them without copying or sending them to anyone else.