Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Display filters for application protocols

From: "news.gmane.com" <AndreasSander1@xxxxxxx>
Date: Tue, 8 Mar 2011 18:01:02 +0100
"Luk�s Oliva" <olivalukas@xxxxxxxxx> wrote in 
message news:AANLkTinczCeZZCCy5f_5WE8jVs6WNf63bObvxOc5mc2c@xxxxxxxxxxxxxx...
>  Hello to the community,
> I am doing some testing for the Diameter protocol and I noticed
> interesting behaviour of the display filters. I noticed that if I run
>
> tshark -r mypcap.pcap -R "diameter.cmd.code==302"
>
> then the output contains afterwards also Diameter packets with
> different diameter.cmd.code. I am not sure if it is actually a bug and
> how tshark handles this filtering for application protocols.
> E.g.: If there is a packet on containing more Diameter (or other
> application protocol) messages on IP (or possibly TCP) level, how is
> this will the display filter filter all of them?
>
> Just for the illustration:
>
> 1  TCP packet: Diameter message 1 (LIR), Diameter message 2 (MAR),
> Diameter message 3 (SAR)
>
> Running tshark -r mypcap.pcap -R "diameter.cmd.code==302" ... # so
> filtering out the LIR messages which have message code 302
>
> Should the tshark produce a list of LIR messages only?

You write, you have one TCP packet with several diameter messages. A display 
filter defines which _packets_ should be displayed. But the display filter 
does not define which details of one packet is displayed.

--
Andy