Wireshark-dev: Re: [Wireshark-dev] dfilter functions
From: Peter Wu <[email protected]>
Date: Mon, 7 Jan 2019 14:13:24 +0100
The online manual reflects 2.6.5, but the manual was updated in master,

Perhaps size should be removed (as argued in that commit message)?

Kind regards,

On Sun, Jan 06, 2019 at 02:20:22PM +0000, Michael Mann via Wireshark-dev wrote:
> len - Checks the string length of "string types" (FT_STRING, FT_STRINGZ, FT_UINT_STRING, FT_STRINGZPAD) or array length of "byte types" (FT_BYTES, FT_UINT_BYTES) and does a compare.
> Examples:len(smpp.message_id)  > 10len(smpp.message) > 25
> size - Checks the size of the field in a packet.  Can be used for strings/bytes like len() above, but can also be used for integer fields that vary in length (1-4 bytes)
> Examples:size(eth.type) == 2       (This is just for demonstration purposes.  Obviously the size of the eth.type field could only be 2 but I couldn't quickly think of a "popular" field with varying integer length)    
> size(tcp.options) > 7
> count - Number of times a field is found in a single frame.  This can be used to help identify "tunneling" or if multiple PDUs are in a single frame.
> Examples:count(ip.src) > 1
> count(smpp.sequence_number) > 1    (Since sequence_number is required for the packet, having more than one shows frames with multiple PDUs.
> -----Original Message-----
> From: Dario Lombardo <[email protected]>
> To: Developer support list for Wireshark <[email protected]>
> Sent: Sun, Jan 6, 2019 4:35 am
> Subject: [Wireshark-dev] dfilter functions
> HiI've noticed that the online documentation about dfilter functions just talks about 2 of them, upper and lower:
> https://www.wireshark.org/docs/man-pages/wireshark-filter.html
> but there are more that are undocumented AFAICS:
> - len- size- count
> Can someone explain me their purpose and give a working example on some protocol?Thanks.Dario.