Wireshark · Ethereal-dev: [Ethereal-dev] decimals not accepted in substrings - can you confirm a bug?

["Uwe Galle" <galle@xxxxxxxxxxx>]

Hi,

 

I am trying to do a very simple thing: Build a display filter with a "net" equivalent like the key word available with capture filters. But this seems to be difficult.

 

I tried to use the substring operator: ip.host[0:3]==192:168:1. According to the Ethereal manual this should work: "You can express integers in decimal, octal, or hexadecimal" (Etherreal User's Guide / Working with captured packets / Building display filter expressions / Combining expressions).

 

But Ethereal  does not accept decimals in substrings: "192:168:1 is not a valid byte string". Why? It is so easy to build capture filters with common IP addresses as network addresses but it seems to be impossible with display filters. I didn't find any information in the manual, FAQ or mailing list. Is there another way to build display filters with common IP addresses as network addresses?

 

By trying to find a way to do that I was confused by the ip.host and ip.addr field in the Ethereal documentation (http://www.ethereal.com/docs/dfref/i/ip.html). The IP documentation of Etherreal indicates that ip.host and ip.addr are in fact the same fields (http://wiki.ethereal.com/Internet_Protocol?action="">): "Show only the IP-based traffic to or from host 192.168.0.10: ip.addr==192.168.0.10 (below "Display Filter"). But in the filter _expression_ dialog box these two fields behave differently: They don't allow the same operators. Additionally ip.host allows a range but ip.addr does not. I didn't find an explanation for that. Furthermore, I expected there is also an ip.net field if there are the fields ip.addr and ip.host. But there isn't one. Could you explain this a little bit, please?

 

Thanks,

Uwe Galle