Ask Your Question

Why doesn't mstp.frame_type ne 0 filter out token passing?

asked 2019-06-20 15:07:23 +0000

Boyd gravatar image

updated 2019-06-24 18:57:39 +0000

Guy Harris gravatar image

I would like to upload a picture but I get error:" details must have > 10 points"

Anywho, I use: mstp.frame_type ne 0 but I still get all the token passing

How do I filter them out? I am using BACNET MSTP Boyd

edit retag flag offensive close merge delete


Much better to share a capture file using a public share (e.g. Google Drive or DropBox etc.), but you can do the same with a screenshot, although it's unlikely to be much use in this case as we'll need to see the data.

grahamb gravatar imagegrahamb ( 2019-06-20 15:27:18 +0000 )edit

the link: TEST1.pcapng (file://RD-LAPTOP-BOYD/Users/bmills.DEVELOPMENT/OneDrive%20-%20VCI%20CONTROLS%20Inc/Wireshark/TEST1.pcapng)

Don't know if that will work, but try!

Boyd gravatar imageBoyd ( 2019-06-20 18:17:40 +0000 )edit

That won't work. file:/// URLs are URLs that refer to local files, and work only on your machine. I infer from the "OneDrive" that it's on OneDrive; presumably there's some way to get a public URL for files on OneDrive, so that people on other machines can download the capture from OneDrive.

Guy Harris gravatar imageGuy Harris ( 2019-06-20 22:09:11 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2019-06-20 23:42:12 +0000

SYN-bit gravatar image

Without looking at the trace it is difficult to see the problem. However, the filter mstp.frame_type ne 0 means "show packets where there is at least one field with the name mstp.frame_type that does not have the value 0". In other words, if there are multiple instances of mstp.frame_type in the packets and at least one of them does not have the value zero, the packet is still shows.

The filter not mstp.frame_type eq 0 might work better as it means "show all packets where there is not one field with the name mstp.frame_type that has the value 0".

Please also be aware that filtering is at the packet level, not at the PDU level, so if there are multiple PDU's in one packet, it might not be possible to create a filter that works exactly as you need.

edit flag offensive delete link more


...where "packet" means "link-layer frame" in this context. There are protocols where more than one PDU for that protocol can appear in a single link-layer frame (link-layer PDU) - that's true of most protocols that run over TCP, for example.

Guy Harris gravatar imageGuy Harris ( 2019-06-21 02:01:35 +0000 )edit

The filter not mstp.frame_type eq 0 works.

Thank you

Boyd gravatar imageBoyd ( 2019-06-24 15:09:21 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-06-20 15:07:23 +0000

Seen: 115 times

Last updated: Jun 24 '19