Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] display filter on a field that appears more than once in a m

From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
Date: Thu, 7 Sep 2006 10:53:00 +1000
The difference is the difference between the upside down A (==For ALL it is true)
and the mirrored E (==there EXISTS at least one)

I.e.  
payload.packet.a_field != 1
is only the same as
!(payload.packet.a_field == 1)

if this field exists exactly once in the set.

If the field exists multiple times   then
payload.packet.a_field != 1
is no longer the same as
!(payload.packet.a_field == 1)


try rewriting your filters to be
!(payload.packet.a_field==1)
instead


On 9/7/06, Andrew Schweitzer <a.schweitzer.grps@xxxxxxxxx > wrote:
I have a field which can appear more than once in a message. When it
appears only once I seem to have no trouble filtering on it. When it
appears more than once I seem to getting the wrong results.

Maybe someone can explain what I'm doing wrong?

This is a customer dissector.

I have these fields:
        -->header.msg_id: single_packet or multiple_packet
-->payload.packet.a_field

If I search on

protocol.header.msg_id == single_packet and (payload.packet.a_field != 1
and payload.packet.a_field != 2)

everything works fine.

However, if I search on

protocol.header.msg_id == multiple_packet and (payload.packet.a_field !=
1 and payload.packet.a_field != 2)

I seem to get any packet that is *either* a_field != 1 *or* a_field != 2

Any suggestions on how to fix? I assume it has to do with how I register
these fields with wireshark in the dissector code.

Thanks

Andy

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev