Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

(Sample capture zgp_control_log.pcapng is from issue 9424: Implement ZigBee Green Power dissector)

The error messages will be appear in the lower left of the gui on the status line.
It's easier to capture the text getting the output from tshark.

$ tshark -v
TShark (Wireshark) 4.2.3 (v4.2.3-0-ga15d7331476c).

$ tshark.exe -r ./zgp_control_log.pcapng -T fields -e zbee_nwk_gp.source_id | sort | uniq -c
     14
     58 0x78417788
     46 0xab361a07
      3 0xffffffff

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches 7841"
tshark: Matches requires a double quoted string on the right side.
    zbee_nwk_gp.source_id matches 7841
                                  ^~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in matches comparis
on.
    zbee_nwk_gp.source_id matches "7841"
    ^~~~~~~~~~~~~~~~~~~~~

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id contains \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in contains compari
son.
    zbee_nwk_gp.source_id contains "7841"
    ^~~~~~~~~~~~~~~~~~~~~

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id[0:2] == 78:41"
tshark: "zbee_nwk_gp.source_id" is a Unsigned integer (32 bits) and cannot be sliced into a sequence o
f bytes.
    zbee_nwk_gp.source_id[0:2] == 78:41
    ^~~~~~~~~~~~~~~~~~~~~

Field is Uint32 - https://www.wireshark.org/docs/dfref/z/zbee_nwk_gp.html

Field name              Description     Type                        Versions
zbee_nwk_gp.source_id   Src ID          Unsigned integer (32 bits)  1.12.0 to 4.2.

Two ways (there could be more) to search for specific bytes in the field:

1. WSUG - 6.4.8. Arithmetic operators
Bitwise AND A & B A bitand B Bitwise AND of A and B

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id & 0xffff0000 == 0x78410000" | wc
     58     652    5560



2. Access the raw bytes in the Uint32. Wireshark 4.2.0 Release Notes

It is now possible to filter on raw packet data for any field by using the syntax @some.field == &ltbytes…​&gt.

WSUG - 6.4.6. The At Operator

$ tshark.exe -r ./zgp_control_log.pcapng -Y "@zbee_nwk_gp.source_id[2:2] == 41:78" | wc
     58     652    5560

Due to the "endianness" of the raw bytes in packet data, the raw bytes filter works from the end and in reverse.
Field as displayed in the Packet Details:

Src ID: Unknown (0x78417788)

Field as seen in the Packet Bytes:

0000  88 77 41 78

(Sample capture zgp_control_log.pcapng is from issue 9424: Implement ZigBee Green Power dissector)

The error messages will be appear in the lower left of the gui on the status line.
It's easier to capture the text getting the output from tshark.

$ tshark -v
TShark (Wireshark) 4.2.3 (v4.2.3-0-ga15d7331476c).

$ tshark.exe -r ./zgp_control_log.pcapng -T fields -e zbee_nwk_gp.source_id | sort | uniq -c
     14
     58 0x78417788
     46 0xab361a07
      3 0xffffffff

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches 7841"
tshark: Matches requires a double quoted string on the right side.
    zbee_nwk_gp.source_id matches 7841
                                  ^~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in matches comparis
on.
comparison.
    zbee_nwk_gp.source_id matches "7841"
    ^~~~~~~~~~~~~~~~~~~~~

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id contains \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in contains compari
son.
comparison.
    zbee_nwk_gp.source_id contains "7841"
    ^~~~~~~~~~~~~~~~~~~~~

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id[0:2] == 78:41"
tshark: "zbee_nwk_gp.source_id" is a Unsigned integer (32 bits) and cannot be sliced into a sequence o
f of bytes.
    zbee_nwk_gp.source_id[0:2] == 78:41
    ^~~~~~~~~~~~~~~~~~~~~

Field is Uint32 - https://www.wireshark.org/docs/dfref/z/zbee_nwk_gp.html

Field name              Description     Type                        Versions
zbee_nwk_gp.source_id   Src ID          Unsigned integer (32 bits)  1.12.0 to 4.2.

Two ways (there could be more) to search for specific bytes in the field:

1. WSUG - 6.4.8. Arithmetic operators
Bitwise AND A & B A bitand B Bitwise AND of A and B

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id & 0xffff0000 == 0x78410000" | wc
     58     652    5560



2. Access the raw bytes in the Uint32. Wireshark 4.2.0 Release Notes

It is now possible to filter on raw packet data for any field by using the syntax @some.field == &ltbytes…​&gt.

WSUG - 6.4.6. The At Operator

$ tshark.exe -r ./zgp_control_log.pcapng -Y "@zbee_nwk_gp.source_id[2:2] == 41:78" | wc
     58     652    5560

Due to the "endianness" of the raw bytes in packet data, the raw bytes filter works from the end and in reverse.
Field as displayed in the Packet Details:

Src ID: Unknown (0x78417788)

Field as seen in the Packet Bytes:

0000  88 77 41 78

(Sample capture zgp_control_log.pcapng is from issue 9424: Implement ZigBee Green Power dissector)

The error messages will be appear in the lower left of the gui on the status line.
It's easier to capture the text getting the output from tshark.

$ tshark -v
TShark (Wireshark) 4.2.3 (v4.2.3-0-ga15d7331476c).

$ tshark.exe -r ./zgp_control_log.pcapng -T fields -e zbee_nwk_gp.source_id | sort | uniq -c
     14
     58 0x78417788
     46 0xab361a07
      3 0xffffffff

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches 7841"
tshark: Matches requires a double quoted string on the right side.
    zbee_nwk_gp.source_id matches 7841
                                  ^~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in matches comparison.
    zbee_nwk_gp.source_id matches "7841"
    ^~~~~~~~~~~~~~~~~~~~~

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id contains \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in contains comparison.
    zbee_nwk_gp.source_id contains "7841"
    ^~~~~~~~~~~~~~~~~~~~~

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id[0:2] == 78:41"
tshark: "zbee_nwk_gp.source_id" is a Unsigned integer (32 bits) and cannot be sliced into a sequence of bytes.
    zbee_nwk_gp.source_id[0:2] == 78:41
    ^~~~~~~~~~~~~~~~~~~~~

Field is Uint32 - https://www.wireshark.org/docs/dfref/z/zbee_nwk_gp.html

Field name              Description     Type                        Versions
zbee_nwk_gp.source_id   Src ID          Unsigned integer (32 bits)  1.12.0 to 4.2.

Two ways (there could be more) to search for specific bytes in the field:

1. WSUG - 6.4.8. Arithmetic operators
Bitwise AND A & B A bitand B Bitwise AND of A and B

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id & 0xffff0000 == 0x78410000" | wc
     58     652    5560



2. Access the raw bytes in the Uint32. Wireshark 4.2.0 Release Notes

It is now possible to filter on raw packet data for any field by using the syntax @some.field == &ltbytes…​&gt.

WSUG - 6.4.6. The At Operator

$ tshark.exe -r ./zgp_control_log.pcapng -Y "@zbee_nwk_gp.source_id[2:2] == 41:78" | wc
     58     652    5560

Due to the "endianness" of the raw bytes in packet data, the raw bytes filter works from the end and in reverse.

Field as displayed in the Packet Details:

Src ID: Unknown (0x78417788)

Field as seen in the Packet Bytes:

0000  88 77 41 78

(Sample capture zgp_control_log.pcapng is from issue 9424: Implement ZigBee Green Power dissector)

The error messages will be appear in the lower left of the gui on the status line.
It's easier to capture the text getting the output from tshark.

$ tshark -v
TShark (Wireshark) 4.2.3 (v4.2.3-0-ga15d7331476c).

$ tshark.exe -r ./zgp_control_log.pcapng -T fields -e zbee_nwk_gp.source_id | sort | uniq -c
     14
     58 0x78417788
     46 0xab361a07
      3 0xffffffff

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches 7841"
tshark: Matches requires a double quoted string on the right side.
    zbee_nwk_gp.source_id matches 7841
                                  ^~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in matches comparison.
    zbee_nwk_gp.source_id matches "7841"
    ^~~~~~~~~~~~~~~~~~~~~

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id contains \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in contains comparison.
    zbee_nwk_gp.source_id contains "7841"
    ^~~~~~~~~~~~~~~~~~~~~

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id[0:2] == 78:41"
tshark: "zbee_nwk_gp.source_id" is a Unsigned integer (32 bits) and cannot be sliced into a sequence of bytes.
    zbee_nwk_gp.source_id[0:2] == 78:41
    ^~~~~~~~~~~~~~~~~~~~~

Field is Uint32 - https://www.wireshark.org/docs/dfref/z/zbee_nwk_gp.htmlDisplay Filter Reference: ZigBee Green Power Profile

Field name              Description     Type                        Versions
zbee_nwk_gp.source_id   Src ID          Unsigned integer (32 bits)  1.12.0 to 4.2.

Two ways (there could be more) to search for specific bytes in the field:

1. WSUG - 6.4.8. Arithmetic operators
Bitwise AND A & B A bitand B Bitwise AND of A and B

$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id & 0xffff0000 == 0x78410000" | wc
     58     652    5560



2. Access the raw bytes in the Uint32. Wireshark 4.2.0 Release Notes

It is now possible to filter on raw packet data for any field by using the syntax @some.field == &ltbytes…​&gt. <bytes…​>.

WSUG - 6.4.6. The At Operator

$ tshark.exe -r ./zgp_control_log.pcapng -Y "@zbee_nwk_gp.source_id[2:2] == 41:78" | wc
     58     652    5560

Due to the "endianness" of the raw bytes in packet data, the raw bytes filter works from the end and in reverse.

Field as displayed in the Packet Details:

Src ID: Unknown (0x78417788)

Field as seen in the Packet Bytes:

0000  88 77 41 78