I think that the problem is that Keith has missed is that field names ARE filters, but unfortunately the converse is not true. For Keith's benefit when you use one or fields to construct a filter, such as "(dpnss.cc_msg_type)||(dpnss.e2e_msg_type)" the result is effectively a logical true or false. If used as a display filter this simply determines whether a packet is displayed or not. The only way to display a new field whose contents are either the contents from this field or that field (and you might have to deal with the case of them both having contents) would be to create a new subdissector (which could be done in LUA).
The bug Jeff refers to also seems to cover it. I do think some sort of calculated field would be cool.
Even easier would be two create two custom columns, one for dpnss.cc_msg_type and one for dpnss.e2e_msg_type and put up with the lost real estate.
Regards, Martin
MartinVisser99@xxxxxxxxx
On Thu, Oct 8, 2009 at 3:40 AM, Guy Harris
<guy@xxxxxxxxxxxx> wrote:
On Oct 7, 2009, at 2:32 AM, Keith French wrote:
> In the latest version of Wireshark, when you add a custom column
> under the Preferences/User Interface, is it possible to define the
> filter using two or more expressions?
I don't see any filter in the dialog box for a column. I do see
something that says "Field name", but nothing that says "Filter".
> Either of these two filters are valid on their own, but if I try to
> combine them to be one column the syntax checker remains a red
> background:-
>
> (dpnss.cc_msg_type)||(dpnss.e2e_msg_type)
That's not a field name. What is it you're trying to do?
