I have a pcap which contains messages having data of type float. I tried applying display filter on this field, but it is not working, not able to see the messages being filtered. Wanted to know whether Wireshark supports display filter option on float data type values. I am using Wireshark version 1.6.1. Thanks in advance. Kiran Kumar G asked 21 Jan '14, 10:21 Kiran Kumar G edited 21 Jan '14, 12:03 Kurt Knochner ♦ |
One Answer:
yes, in general that's supported, at least in the versions I tested (1.10.x and 1.11.x). I did a test with DTLS, where the sequence number was (strangely) defined as a double value up until 1.11.x Test File: http://wiki.wireshark.org/SampleCaptures#DTLS_with_decryption_keys In Wireshark 1.10.x I was able to use the following filters
They both work. In 1.11.x that field was redefined as UINT64, hence it does not work in 1.11.x. Now, for 1.6.x: The field is defined as DOUBLE there as well, however filtering for a double value (1.0, see above), does not work in 1.6.8. I get an error message, but I did not check the reason for it in the code! So, to answer you question in more details: Yes, filtering for float/double values works, if
-- UPDATE -- Filters for float/double values do work for 1.6.11 and upwards, so maybe that's a bug in 1.6.x that has been fixed. Please update or upgrade your version of Wireshark and it should work (again) ;-) Regards answered 21 Jan '14, 11:52 Kurt Knochner ♦ edited 21 Jan '14, 12:23 Thanks Kurt for your answer, it clarified many of my questions. I did further analysis and below are my observations. I took a PCAP of a protocol which had float values, i selected CIGI protocol as it is supported by default in Wireshark. I opened this in both Wireshark 1.6.1 and Wireshark 1.10.2 and 1.10.5 (latest version) and tried applying filter on the float field. Observed that it is the same behaviour with both the versions. I am not sure if the problem still there in the latest version or am i missing something. HF declaration and the code to display this field in CIGI code is as below. ---HF declaration--- &hf_cigi2_line_of_sight_range_request_max_range, { "Maximum Range (m)", "cigi.los_range_request.max_range", FT_FLOAT, BASE_NONE, NULL, 0x0, "Specifies the maximum extent from the source position specified in this data packet to a point along the LOS vector where intersection testing will end", HFILL } }, ---Code snippet--- proto_tree_add_item(tree, hf_cigi2_line_of_sight_range_request_max_range, tvb, offset, 4, ENC_BIG_ENDIAN); offset += 4; ---Applied filter string is as below--- cigi.los_range_request.max_range ---PCAP for the CIGI protocol is obtained from the below link--- http://wiki.wireshark.org/CIGI Request you suggestion on the same. Thanks, Kiran (24 Jan '14, 04:29) Kiran Kumar G O.K. I believe this is a bug related to 'localization/internationalization' settings of the OS, where either '.' or ',' is used to separate the fraction of a number, similar to a problem reported in another question: If I apply
However, that filter is not accepted (certainly due to the comma) If I used the following filter
The filter itself is accepted (green), but it does not match any frame. So, please open a bug request at https://bugs.wireshark.org and describe your problem as detailed as possible. Please also add the link to this question. (24 Jan '14, 05:31) Kurt Knochner ♦ Thanks Kurt for your reply, i will be raising a bug as suggested. (27 Jan '14, 23:19) Kiran Kumar G |
Which protocol? What was the display filter you tried?