Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] dfilter functions

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Mon, 7 Jan 2019 14:13:24 +0100
The online manual reflects 2.6.5, but the manual was updated in master,
https://code.wireshark.org/review/27146

Perhaps size should be removed (as argued in that commit message)?

Kind regards,
Peter

On Sun, Jan 06, 2019 at 02:20:22PM +0000, Michael Mann via Wireshark-dev wrote:
> len - Checks the string length of "string types" (FT_STRING, FT_STRINGZ, FT_UINT_STRING, FT_STRINGZPAD) or array length of "byte types" (FT_BYTES, FT_UINT_BYTES) and does a compare.
> Examples:len(smpp.message_id)� > 10len(smpp.message) > 25
> size - Checks the size of the field in a packet.� Can be used for strings/bytes like len() above, but can also be used for integer fields that vary in length (1-4 bytes)
> Examples:size(eth.type) == 2 � � � (This is just for demonstration purposes.� Obviously the size of the eth.type field could only be 2 but I couldn't quickly think of a "popular" field with varying integer length) � �
> size(tcp.options) > 7
> 
> count - Number of times a field is found in a single frame.� This can be used to help identify "tunneling" or if multiple PDUs are in a single frame.
> Examples:count(ip.src) > 1
> count(smpp.sequence_number) > 1 �� (Since sequence_number is required for the packet, having more than one shows frames with multiple PDUs.
> 
> 
> -----Original Message-----
> From: Dario Lombardo <lomato@xxxxxxxxx>
> To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
> Sent: Sun, Jan 6, 2019 4:35 am
> Subject: [Wireshark-dev] dfilter functions
> 
> HiI've noticed that the online documentation about dfilter functions just talks about 2 of them, upper and lower:
> https://www.wireshark.org/docs/man-pages/wireshark-filter.html
> but there are more that are undocumented AFAICS:
> - len- size- count
> Can someone explain me their purpose and give a working example on some protocol?Thanks.Dario.