Ask Your Question
0

Use display filter functions in column definitions

asked 2019-08-11 19:32:18 +0000

Chuckc gravatar image

I can create a display filter to display frames with more than one expert info:

   count(_ws.expert.message)>4

Would be nice to be able to add a column count(_ws.expert.message) to sort on and have available when analyzing.

There doesn't seem to be a length field for tcp.options so a column len(tcp.options) would be nice. TCP options aren't broken down into occurrences so something like count(tcp.option_len) (doesn't count NOPs) to compare different TCP handshakes.

Don't have a use case for upper, lower or string but include for completeness? Each use would be standalone - not dependent on other packets or fields - so maybe just an extension of the column definition language?

https://www.wireshark.org/docs/wsug_h...

6.4.6. Functions
The display filter language has a number of functions to convert fields, see Table 6.7, “Display Filter Functions”.
Table 6.7. Display Filter Functions
Function    Description
upper        Converts a string field to uppercase.
lower        Converts a string field to lowercase.
len            Returns the byte length of a string or bytes field.
count        Returns the number of field occurrences in a frame.
string        Converts a non-string field to a string.
edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by » oldest newest most voted
0

answered 2019-08-11 20:10:26 +0000

grahamb gravatar image

Enhancement requests should be made over at the Wireshark Bugzilla.

edit flag offensive delete link more

Comments

Thanks for looking at this. Wanted to give it a trial run before opening a ER.

Chuckc gravatar imageChuckc ( 2019-08-12 20:59:43 +0000 )edit

And it's bug 15990.

Guy Harris gravatar imageGuy Harris ( 2019-08-13 01:41:06 +0000 )edit
add a comment
0

answered 2019-08-11 21:52:19 +0000

Ross Jacobs gravatar image

Wireshark Bugzilla is the appropriate place for feature requests.

In the interim, this script may help you. This will create a file each for every number of expert infos using tshark, so if you see an expert_infos5.pcapng, it will only have packets with 5 expert infos.

#!/usr/bin/env bash
source="/path/to/your/capture"
hits=1
i=1
while [[ $hits > 0 ]]; do
    tshark -r $source -Y "count(_ws.expert.message) > ${i}" -w expert_infos${i}.pcapng
    hits=$(tshark -r /tmp/expert_infos${i}.pcapng | wc -l)
    i=${i}+1
done

My capture only had 1 type of expert infos per packet, so I only see one file:

$bash ls /tmp | grep export_infos
expert_infos1.pcapng
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-08-11 19:32:18 +0000

Seen: 1,120 times

Last updated: Aug 11 '19

Related questions

how to save several Columns preferences?

How to retain column settings across restarts?

display filtering and sll?

many to many comparision [display private networks as example]

ip.flags.sf not supported?

Is it possible to filter to ignore capture before and after a particular time stamps?

Why are ranges not possible in display filter frame.number?

Filter only within displayed packets (without re-analyzing entire file)

I cannot enter a filter for tcp port 61883. What is so special about this number?

tshark smtp filter decode.