On Jun 13, 2013, at 5:16 PM, Richard Sharpe <realrichardsharpe@xxxxxxxxx> wrote:
> I thought I would try to work around my issue with smb.time vs
> smb2.time by using a custom column field and putting in an expression,
> but it seems not to work. An expression that is acceptable in the
> Filter field is not acceptable in a custom column.
>
> Why is this?
Because "||" is a Boolean "or", not a human-language "or". :-)
I.e., "a || b" is a packet-matching expression that matches if the expression "a" matches or the expression "b" matches, not a field expression that evaluates to whichever of the fields "a" or "b" is present (with "a" chosen if both are present, presumably).
The Filter field takes packet-matching expressions; the custom column field takes field names. Field names are valid packet-matching expressions, which match if the field is present in the packet and don't match if it's not, but arbitrary packet-matching expressions aren't valid as custom columns.
Having a separate feature allowing a set of field names for a custom column could be useful. I'm not sure an "||" operator, given its existing meaning in C (and in packet-matching expressions), would be the right syntax for that.
(Other expressions for custom columns might be useful, e.g. (ip.ttl % 17) + (1/137.035999074)*ip.proto - OK, well, *that* expression might not be useful, but....)
