Wireshark-dev: Re: [Wireshark-dev] dfilter functions
From: Peter Wu <[email protected]>
Date: Mon, 7 Jan 2019 14:13:24 +0100
The online manual reflects 2.6.5, but the manual was updated in master,
https://code.wireshark.org/review/27146

Perhaps size should be removed (as argued in that commit message)?

Kind regards,
Peter

On Sun, Jan 06, 2019 at 02:20:22PM +0000, Michael Mann via Wireshark-dev wrote:
> len - Checks the string length of "string types" (FT_STRING, FT_STRINGZ, FT_UINT_STRING, FT_STRINGZPAD) or array length of "byte types" (FT_BYTES, FT_UINT_BYTES) and does a compare.
> Examples:len(smpp.message_id)  > 10len(smpp.message) > 25
> size - Checks the size of the field in a packet.  Can be used for strings/bytes like len() above, but can also be used for integer fields that vary in length (1-4 bytes)
> Examples:size(eth.type) == 2       (This is just for demonstration purposes.  Obviously the size of the eth.type field could only be 2 but I couldn't quickly think of a "popular" field with varying integer length)    
> size(tcp.options) > 7
> 
> count - Number of times a field is found in a single frame.  This can be used to help identify "tunneling" or if multiple PDUs are in a single frame.
> Examples:count(ip.src) > 1
> count(smpp.sequence_number) > 1    (Since sequence_number is required for the packet, having more than one shows frames with multiple PDUs.
> 
> 
> -----Original Message-----
> From: Dario Lombardo <[email protected]>
> To: Developer support list for Wireshark <[email protected]>
> Sent: Sun, Jan 6, 2019 4:35 am
> Subject: [Wireshark-dev] dfilter functions
> 
> HiI've noticed that the online documentation about dfilter functions just talks about 2 of them, upper and lower:
> https://www.wireshark.org/docs/man-pages/wireshark-filter.html
> but there are more that are undocumented AFAICS:
> - len- size- count
> Can someone explain me their purpose and give a working example on some protocol?Thanks.Dario.