Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] bitwise operating gives syntax error. + displaying a slice

Date: Mon, 9 Apr 2012 17:55:19 +0100 (BST)
I know that some number AND 0  would give 0..

My issue is that it gives a Syntax error! 

0 could be FF, my point is the syntax error.

I want to run the expression without getting a syntax error.

See the example, it reads from a file (i.e. i'm looking at doing a display filter)  


C:\sdf>tshark -r asdf2 "ip[0]&ff==45"
tshark: Syntax error.



--- On Mon, 9/4/12, Jaap Keuter  wrote:

> From: Jaap Keuter 
> Subject: Re: [Wireshark-users] bitwise operating gives syntax error. + displaying a slice.
> To: list
> Date: Monday, 9 April, 2012, 16:50
> Hi,
> 
> Are you trying capture or display filters here?
> 
> The capture file expression part "ip[0] & 0" would
> always yield 0.
> 
> Thanks,
> Jaap
> 
> On 04/08/2012 05:37 PM, Marilo wrote:
> > I am having trouble trying to get the bitwise operator
> to function here without a syntax error
> >
> > This works
> >
> > C:\sdf>tshark -r asdf2 "ip[0]==45"
> >
> > but when I put a bitwise AND in there, I get a syntax
> error
> >
> > C:\sdf>tshark -r asdf2 "ip[0]&0==45"
> > tshark: Syntax error.
> >    Note: That display filter code looks like
> a valid capture filter;
> >          maybe you mixed them
> up?
> >
> > C:\sdf>
> >
> >
> > Also where in the manual does it speak about this?
> >
> > And it'd be really useful in debugging a filter, if I
> could display, say, ip[0] or  ip[0]<<2
> > Is that possible and is it possible to only display
> ip[0] or tcp[12] or whatever slice, of a packet?
> >
> 
>