Wireshark-users: Re: [Wireshark-users] Display filter: Compare fields?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 02 Oct 2006 23:39:40 -0700

Andrew.Hadenfeldt@xxxxxxxxxx wrote:

According to the filter docs, it is possible to "compare fields against fields"

...although, later in the wireshark-filter(4) man page, at least, it says nothing about that.

but it doesn't seem to be true. For example:

  frame.pkt_len > frame.cap_len

That doesn't appear to be syntactically valid, but note that it's a filter that would only match packets if you captured with a non-default snapshot length and captured packets bigger than the snapshot length; I assume that's what you intended.

or (closer to what I really want)

  frame.cap_len > frame.pkt_len+4

That's apparently not syntactically valid, either, but it's a filter that would only match packets if you captured with a badly broken "packet slicing" implementation and that set the "captured length" incorrectly so that it's greater than the actual length. (I.e., if frame.cap_len > frame.pkt_len for any frame, there's something wrong with the software that captured that frame.) Even if it were syntactically valid, it probably wouldn't be very useful.

I've even tried some variations, e.g.:

  (frame.cap_len-frame.pkt_len)>4

without success.

The man page doesn't speak of arithmetic on fields.

Have also attempted with capture filters, but that didn't work either

Those do support arithmetic - but they don't support operators to get the captured length, just the on-the-wire length.

They also, obviously, can't filter stuff once you've captured it (at least not in *shark).