Ask Your Question
1

Can I limit the display filter to an specific occurrence

asked 2019-11-19 21:57:57 +0000

For example: An IP header inside an ICMP message. In that case we have two IP Headers in one packet.

But can I limit the display filter (e.g. ip.dst) to only one of them, like in the columns dialog?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
1

answered 2019-11-20 12:39:42 +0000

bubbasnmp gravatar image

I think @cmaynard would like the same feature. :-)

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10379
==============================================================
Maybe Wireshark could be enhanced to make use of the occurrence specifier in display filters similar to when adding custom columns, perhaps even using the same syntax?

For example:  ip.src#1 == 1.2.3.4

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3791
========================================================
Maybe it would be possible to extend the display filters somehow to be able to filter based on something like what tshark provides with its "-Eoccurrence=f|l|a" capabilities?  Today, essentially Wireshark filters packets using "-Eoccurrence=a", but if that feature can be added to tshark, then at least in theory it could be added to Wireshark?

This doesn't solve your problem but is a start if you ask for an enhancement.
https://osqa-ask.wireshark.org/questi...

edit flag offensive delete link more

Comments

@bubbasnmp, the enhancements I proposed in the 2 bug reports you referenced, namely Bug 3791 and Bug 10379, never received any feedback, either positive or negative, so I don't know what the interest level is within the Wireshark community for such an enhancement. It would probably be better if someone interested in such a feature opens a new enhancement bug report specifically requesting this feature to be added; perhaps then it will garner more attention.

cmaynard gravatar imagecmaynard ( 2019-11-20 16:42:13 +0000 )edit

I think Bug 3791 describes the enhancement correct, as my problem occurs when we tunnel the traffic. So I Have voted for improvement.

Christian_R gravatar imageChristian_R ( 2019-11-20 20:56:10 +0000 )edit

Added a vote too :-)

SYN-bit gravatar imageSYN-bit ( 2019-11-20 21:23:45 +0000 )edit

I don't recall Bugzilla supporting votes back when that bug was first opened 10+ years ago, but it's got a few more now, for what it's worth.

cmaynard gravatar imagecmaynard ( 2019-11-20 21:32:10 +0000 )edit
0

answered 2019-11-20 09:41:56 +0000

NJL gravatar image

Not sure it's what you want, but wouldn't you be able to use the "frame[POS] == hex-value" filter?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-11-19 21:57:57 +0000

Seen: 57 times

Last updated: Nov 20