Wireshark-users: Re: [Wireshark-users] Filtering SCTP message contents

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 4 Sep 2008 00:02:35 -0700

On Sep 3, 2008, at 11:42 PM, Emre UZUNCA wrote:

When bundling is used for SCTP messages, filter conditions are checked in the full SCTP message content. For example, if 2 M3UA messages are bundled in a single SCTP message, the filter specifed as (m3ua.protocol_data_opc == 10000) && (m3ua.protocol_data_dpc== 10001) is satisfied when the first M3UA message has m3ua.protocol_data_opc == 10000 and the second has m3ua.protocol_data_dpc== 10001. Is there a way to make the filter check only the same M3UA message contents?

Unfortunately, no.

This can't be handled by the proposed {n} operator, unless you allow that operator to have "n" in it rather than just specific numbers, e.g.

m3ua{n}.protocol_data_opc == 10000 && m3ua{n}.protocol_data_dpc == 10001

where "n" is what's used there, rather than a specific number.

(I attached the {n} to "m3ua" rather than to "protocol_data_opc" - I could imagine, for example, protocol A, a single PDU of which can contain one or more PDUs of protocol B, and where a PDU of protocol B could contain multiple instances of field C - the expression "B{2}.C == 15" would match if any of the instances of C in the 2nd protocol-B PDU are equal to 15, while "B.C{2} == 15" would match if the 2nd instance of C in any of the protocol-B PDUs is equal to 15.)