Thank you everyone for your answers.

 

The eth.addr contains 00:02:fc filter worked fine - BUT the
"eth.addr[0:2]==00:02:fc" failed to find any frames, even though the
first 3 bytes were 00:02:fc. The filter "eth.addr[0-2]==00:02:fc" did
find the same frames as the "contains" filter. The "[0:2]" would appear
to be a valid filter (the bar was green) but what is it doing?

 

I also discovered the following strangeness. The filter
"eth.addr[2]==fc" turns red, it appears that "fc" is not valid by
itself. I can enclose fc in quotes eth.addr[2]=="fc" and the filter
turns green but it doesn't find any frames. The filter eth.addr[2]
matches "fc" also fails to find any frames. The problem appears to be
the "fc" value since using the same syntax with other bytes and values
and not using quotes works - so how do I match on "fc".

 

Noah Davids
=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Serendipity is a function of bandwidth

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe