Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 3791] Filter expression syntax needs to handle tunneling b

Date: Thu, 30 Jul 2009 10:56:41 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3791


Guy Harris <guy@xxxxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         OS/Version|Windows XP                  |All
           Platform|Other                       |All
            Summary|Display filter not working  |Filter expression syntax
                   |properly                    |needs to handle tunneling
                   |                            |better




--- Comment #1 from Guy Harris <guy@xxxxxxxxxxxx>  2009-07-30 10:56:40 PDT ---
The packet is an IP-over-GRE packet, so it has *two* IP headers, and thus *two*
instances of "ip.len".

A filter "XXX = yyy" matches all packets that have at least one instance of
field "XXX" with the value "yyy"; a filter "XXX > yyy" matches all packets that
have at least one instance of field "XXX" with a value greater than "yyy"; and
a filter "XXX < yyy" matches all packets that have at least one instance of
field "XXX' with a value less than "yyy".  (The same applies to >= and <=.)

Therefore, "ip.len > 60" matches all packets that have at least one instance of
"ip.len" greater than 60, and "ip.len < 80" matches all packets that have at
least one instance of "ip.len" less than 80.

The packet in question has one instance of "ip.len" greater than 60 (the
instance for the IP layer with GRE running on top of it) and another instance
of "ip.len" less than 80 (the instance for the IP layer running on top of GRE),
so the packet is matched by the filter "ip.len > 60 and ip.len < 80" - that
filter doesn't require the *same* instance of ip.len to be used in both tests.

The filter expression syntax doesn't deal well with tunneling.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.