Wireshark · Wireshark-users: Re: [Wireshark-users] Display filter on smb2.fid

Wireshark-users: Re: [Wireshark-users] Display filter on smb2.fid

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>

Date: Tue, 12 Dec 2017 20:50:18 -0500

On 12/12/2017 03:33 PM, Rodrigo Borges Pereira wrote:

Hi,

I'd like to match on partial smb2.fid, for example smb2.fid[0] == 00
But this seems to be an invalid expression. Is there any trick to it, orjust not possible at all?

That's not possible with that field. You can do partial matches onfields that are byte arrays, for example:


eth.addr[0:3]==00:06:5B

But GUIDs (such as smb2.fid) aren't treated as byte arrays so it doesn'twork.

Follow-Ups:
- Re: [Wireshark-users] Display filter on smb2.fid
  - From: Guy Harris

References:
- [Wireshark-users] Display filter on smb2.fid
  - From: Rodrigo Borges Pereira

Prev by Date: [Wireshark-users] Display filter on smb2.fid
Next by Date: Re: [Wireshark-users] Display filter on smb2.fid
Previous by thread: [Wireshark-users] Display filter on smb2.fid
Next by thread: Re: [Wireshark-users] Display filter on smb2.fid
Index(es):
- Date
- Thread