Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Filtering on a field when there is more than one such field

From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
Date: Fri, 14 Aug 2020 08:31:09 +0100
tshark has the "-E occurrence=f|l|a" option to print the first, last or all occurence of the field in a packet but that is only filtering the output when using -T fields, not matching packets.

On Fri, 14 Aug 2020 at 07:14, Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:
Hi Richard,

The display filter engine has no concept of individual instances of a field, either it’s there in a packet or not and its value is used in the _expression_. Where it is in the packet and in what relation to other fields in a display filter _expression_ is of no concern of the display filter engine. It is a question that comes up once in a while, so its not unheard of, but no one has dared to venture into redoing the whole display filter engine design to make this possible. It would at least require an overhaul of the syntax, and I’m not even sure it is possible with the current dissection engine design.

Thanks,
Jaap

> On 13 Aug 2020, at 22:12, Richard Sharpe <realrichardsharpe@xxxxxxxxx> wrote:
>
> Hi folks,
>
> I faced an interesting problem recently.
>
> I was typing to find a particular tagged item with a tag length
> greater than a specific size.
>
> This presented a problem because many Wi-Fi packets have tagged fields
> and a search filter like wlan.tag.number == X and wlan.tag.length >=
> some-value is prone to false positives if any tagged field in the
> frame has that number and any other tagged field in the frame has a
> length ge the value.
>
> How can I limit the length comparison to the tag found in the first comparison?
>
> Do we even have that concept?
>

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe


--
Graham Bloice
Software Developer
Trihedral UK Limited