 | 1 | initial version |
(Sample capture zgp_control_log.pcapng is from issue 9424: Implement ZigBee Green Power dissector)
The error messages will be appear in the lower left of the gui on the status line.
It's easier to capture the text getting the output from tshark.
$ tshark -v
TShark (Wireshark) 4.2.3 (v4.2.3-0-ga15d7331476c).
$ tshark.exe -r ./zgp_control_log.pcapng -T fields -e zbee_nwk_gp.source_id | sort | uniq -c
14
58 0x78417788
46 0xab361a07
3 0xffffffff
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches 7841"
tshark: Matches requires a double quoted string on the right side.
zbee_nwk_gp.source_id matches 7841
^~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in matches comparis
on.
zbee_nwk_gp.source_id matches "7841"
^~~~~~~~~~~~~~~~~~~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id contains \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in contains compari
son.
zbee_nwk_gp.source_id contains "7841"
^~~~~~~~~~~~~~~~~~~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id[0:2] == 78:41"
tshark: "zbee_nwk_gp.source_id" is a Unsigned integer (32 bits) and cannot be sliced into a sequence o
f bytes.
zbee_nwk_gp.source_id[0:2] == 78:41
^~~~~~~~~~~~~~~~~~~~~
Field is Uint32 - https://www.wireshark.org/docs/dfref/z/zbee_nwk_gp.html
Field name Description Type Versions zbee_nwk_gp.source_id Src ID Unsigned integer (32 bits) 1.12.0 to 4.2.
Two ways (there could be more) to search for specific bytes in the field:
1. WSUG - 6.4.8. Arithmetic operators
Bitwise AND A & B A bitand B Bitwise AND of A and B
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id & 0xffff0000 == 0x78410000" | wc
58 652 5560
2. Access the raw bytes in the Uint32. Wireshark 4.2.0 Release Notes
It is now possible to filter on raw packet data for any field by using the syntax @some.field == <bytes…>.
$ tshark.exe -r ./zgp_control_log.pcapng -Y "@zbee_nwk_gp.source_id[2:2] == 41:78" | wc
58 652 5560
Due to the "endianness" of the raw bytes in packet data, the raw bytes filter works from the end and in reverse.
Field as displayed in the Packet Details:
Src ID: Unknown (0x78417788)
Field as seen in the Packet Bytes:
0000 88 77 41 78
| | 2 | No.2 Revision |
(Sample capture zgp_control_log.pcapng is from issue 9424: Implement ZigBee Green Power dissector)
The error messages will be appear in the lower left of the gui on the status line.
It's easier to capture the text getting the output from tshark.
$ tshark -v
TShark (Wireshark) 4.2.3 (v4.2.3-0-ga15d7331476c).
$ tshark.exe -r ./zgp_control_log.pcapng -T fields -e zbee_nwk_gp.source_id | sort | uniq -c
14
58 0x78417788
46 0xab361a07
3 0xffffffff
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches 7841"
tshark: Matches requires a double quoted string on the right side.
zbee_nwk_gp.source_id matches 7841
^~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in matches comparis
on.
comparison.
zbee_nwk_gp.source_id matches "7841"
^~~~~~~~~~~~~~~~~~~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id contains \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in contains compari
son.
comparison.
zbee_nwk_gp.source_id contains "7841"
^~~~~~~~~~~~~~~~~~~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id[0:2] == 78:41"
tshark: "zbee_nwk_gp.source_id" is a Unsigned integer (32 bits) and cannot be sliced into a sequence o
f of bytes.
zbee_nwk_gp.source_id[0:2] == 78:41
^~~~~~~~~~~~~~~~~~~~~
Field is Uint32 - https://www.wireshark.org/docs/dfref/z/zbee_nwk_gp.html
Field name Description Type Versions zbee_nwk_gp.source_id Src ID Unsigned integer (32 bits) 1.12.0 to 4.2.
Two ways (there could be more) to search for specific bytes in the field:
1. WSUG - 6.4.8. Arithmetic operators
Bitwise AND A & B A bitand B Bitwise AND of A and B
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id & 0xffff0000 == 0x78410000" | wc
58 652 5560
2. Access the raw bytes in the Uint32. Wireshark 4.2.0 Release Notes
It is now possible to filter on raw packet data for any field by using the syntax @some.field == <bytes…>.
$ tshark.exe -r ./zgp_control_log.pcapng -Y "@zbee_nwk_gp.source_id[2:2] == 41:78" | wc
58 652 5560
Due to the "endianness" of the raw bytes in packet data, the raw bytes filter works from the end and in reverse.
Field as displayed in the Packet Details:
Src ID: Unknown (0x78417788)
Field as seen in the Packet Bytes:
0000 88 77 41 78
| | 3 | No.3 Revision |
(Sample capture zgp_control_log.pcapng is from issue 9424: Implement ZigBee Green Power dissector)
The error messages will be appear in the lower left of the gui on the status line.
It's easier to capture the text getting the output from tshark.
$ tshark -v
TShark (Wireshark) 4.2.3 (v4.2.3-0-ga15d7331476c).
$ tshark.exe -r ./zgp_control_log.pcapng -T fields -e zbee_nwk_gp.source_id | sort | uniq -c
14
58 0x78417788
46 0xab361a07
3 0xffffffff
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches 7841"
tshark: Matches requires a double quoted string on the right side.
zbee_nwk_gp.source_id matches 7841
^~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in matches comparison.
zbee_nwk_gp.source_id matches "7841"
^~~~~~~~~~~~~~~~~~~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id contains \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in contains comparison.
zbee_nwk_gp.source_id contains "7841"
^~~~~~~~~~~~~~~~~~~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id[0:2] == 78:41"
tshark: "zbee_nwk_gp.source_id" is a Unsigned integer (32 bits) and cannot be sliced into a sequence of bytes.
zbee_nwk_gp.source_id[0:2] == 78:41
^~~~~~~~~~~~~~~~~~~~~
Field is Uint32 - https://www.wireshark.org/docs/dfref/z/zbee_nwk_gp.html
Field name Description Type Versions zbee_nwk_gp.source_id Src ID Unsigned integer (32 bits) 1.12.0 to 4.2.
Two ways (there could be more) to search for specific bytes in the field:
1. WSUG - 6.4.8. Arithmetic operators
Bitwise AND A & B A bitand B Bitwise AND of A and B
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id & 0xffff0000 == 0x78410000" | wc
58 652 5560
2. Access the raw bytes in the Uint32. Wireshark 4.2.0 Release Notes
It is now possible to filter on raw packet data for any field by using the syntax @some.field == <bytes…>.
$ tshark.exe -r ./zgp_control_log.pcapng -Y "@zbee_nwk_gp.source_id[2:2] == 41:78" | wc
58 652 5560
Due to the "endianness" of the raw bytes in packet data, the raw bytes filter works from the end and in reverse.
Field as displayed in the Packet Details:
Src ID: Unknown (0x78417788)
Field as seen in the Packet Bytes:
0000 88 77 41 78
| | 4 | No.4 Revision |
(Sample capture zgp_control_log.pcapng is from issue 9424: Implement ZigBee Green Power dissector)
The error messages will be appear in the lower left of the gui on the status line.
It's easier to capture the text getting the output from tshark.
$ tshark -v
TShark (Wireshark) 4.2.3 (v4.2.3-0-ga15d7331476c).
$ tshark.exe -r ./zgp_control_log.pcapng -T fields -e zbee_nwk_gp.source_id | sort | uniq -c
14
58 0x78417788
46 0xab361a07
3 0xffffffff
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches 7841"
tshark: Matches requires a double quoted string on the right side.
zbee_nwk_gp.source_id matches 7841
^~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in matches comparison.
zbee_nwk_gp.source_id matches "7841"
^~~~~~~~~~~~~~~~~~~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id contains \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in contains comparison.
zbee_nwk_gp.source_id contains "7841"
^~~~~~~~~~~~~~~~~~~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id[0:2] == 78:41"
tshark: "zbee_nwk_gp.source_id" is a Unsigned integer (32 bits) and cannot be sliced into a sequence of bytes.
zbee_nwk_gp.source_id[0:2] == 78:41
^~~~~~~~~~~~~~~~~~~~~
Field is Uint32 - https://www.wireshark.org/docs/dfref/z/zbee_nwk_gp.htmlDisplay Filter Reference: ZigBee Green Power Profile
Field name Description Type Versions zbee_nwk_gp.source_id Src ID Unsigned integer (32 bits) 1.12.0 to 4.2.
Two ways (there could be more) to search for specific bytes in the field:
1. WSUG - 6.4.8. Arithmetic operators
Bitwise AND A & B A bitand B Bitwise AND of A and B
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id & 0xffff0000 == 0x78410000" | wc
58 652 5560
2. Access the raw bytes in the Uint32. Wireshark 4.2.0 Release Notes
It is now possible to filter on raw packet data for any field by using the syntax
@some.field ==<bytes…>.<bytes…>.
$ tshark.exe -r ./zgp_control_log.pcapng -Y "@zbee_nwk_gp.source_id[2:2] == 41:78" | wc
58 652 5560
Due to the "endianness" of the raw bytes in packet data, the raw bytes filter works from the end and in reverse.
Field as displayed in the Packet Details:
Src ID: Unknown (0x78417788)
Field as seen in the Packet Bytes:
0000 88 77 41 78