Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2024-01-08 09:33:31 +0000

SYN-bit gravatar image

I'm not sure if this will work for the way your protocol adds the multiple messages to the tree, but if it does, the layer operator might come in handy. Of course that will only work if you have a limited amount of messages per packet. You could try the following:

(body.name[1]==alex and body.family[1]==human) or (body.name[2]==alex and body.family[2]==human) or (body.name[3]==alex and body.family[3]==human) or (body.name[4]==alex and body.family[4]==human)

You might want to make a display filter macor for it like

  • macro name: NameFamily
  • macro expression: (body.name[1]==$1 and body.family[1]==$2) or (body.name[2]==$1 and body.family[2]==$2) or (body.name[3]==$1 and body.family[3]==$2) or (body.name[4]==$1 and body.family[4]==$2)

So you can then use the display filter ${NameFamily:alex;human}

click to hide/show revision 2
No.2 Revision

updated 2024-01-08 14:21:08 +0000

cmaynard gravatar image

I'm not sure if this will work for the way your protocol adds the multiple messages to the tree, but if it does, the layer operator might come in handy. Of course that will only work if you have a limited amount of messages per packet. You could try the following:

(body.name[1]==alex and body.family[1]==human) or (body.name[2]==alex and body.family[2]==human) or (body.name[3]==alex and body.family[3]==human) or (body.name[4]==alex and body.family[4]==human)

You might want to make a display filter macor macro for it like

  • macro name: NameFamily
  • macro expression: (body.name[1]==$1 and body.family[1]==$2) or (body.name[2]==$1 and body.family[2]==$2) or (body.name[3]==$1 and body.family[3]==$2) or (body.name[4]==$1 and body.family[4]==$2)

So you can then use the display filter ${NameFamily:alex;human}