Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] How to filter using a negative number?

From: Bill Meier <wmeier@xxxxxxxxxxx>
Date: Sat, 10 Nov 2012 14:54:07 -0500
On 11/10/2012 11:24 AM, Bill Meier wrote:
On 11/9/2012 9:12 PM, spdev31 wrote:
Hello all,

I'm using Wireshark for logging USB traffic and have a signed field
I'd like
to filter on (e.g. usb.urb_status != -115).  But, I cannot seem to filter
based on a negative number without getting an error (e.g. "-115"
cannot be
found among the possible values for usb.urb_status).  Does anyone know
how
to filter signed values with Wireshark?

Thanks,
Shaun



I'm able to enter 'usb.urb_status' != -115' on my 32 bit Windows w/o
problems using the latest dev Wireshark.

What version of Wireshark and what platform/OS are you using ?



Looking at this in more detail:

Is your system using a locale/keyboard (or whatever the correct terminology) wherein the "-" is not being seen by Wireshark as a character indicating negation ?

If so, you would then get the error message you describe.

In this case Wireshark thinks "-115" is a string and is trying to look up the "string" "-115" in a list of "predefined values" and not finding same.

(You'll get the same effect if you enter 'usb.urb_status != a123').

Locales, etc are not my strong suite so I'll defer to others for further details.

ISTR there's been various EMails on the Wireshark.org lists relating to issues of this type; doing a web search on wireshark.org may turn up more info.



Details:

usb.urb_status is a field which has a "value-string" table associared with it.

IOW: There is a table which contains entries matching text strings to values for this field.

These strings can then be used when constructing a filter for the usb.urb_status field.

You can best see this by clicking the 'Expression' button on the filter toolbar and then selecting usb.urb_status in the 'field name' panel.

After having done so, you'll see a list of "Predefined values" on the right. These are the text strings. Selecting one of the strings then uses the associated value in the filter.

So: one way to create the desired filter is to use the 'Expression' functionality to create the filter by selecting the string "Operation now in progress" in the predefined values for the field named usb.urb_status.