Hi, Just wanted to know that whether there is a way to build a filter, where values of two fields can be compared. For example: if we want to filter gtp-c packets where gtp.teid_data is equal to gtp.teid_cp Thanks in advance. Ravi asked 26 Nov '12, 07:43  RAVI_TANDON |
2 Answers:
Actually you can do this in the current development builds (1.9.0) of Wireshark thanks to r43069. The link has some basic examples. answered 26 Nov '12, 12:12  JeffMorriss ♦ |
You can't do that with normal Wireshark filters. They can only match values in a single frame. The one exception to that are things like tcp.expert filters, because they filter on expert symptons that can be caused by interaction between two frames. But you might want to use the mate engine to do what you want: http://wiki.wireshark.org/Mate answered 26 Nov '12, 07:51  Jasper ♦♦ Actually, both fields are present in the single frame/packet of gtp-c packets (26 Nov '12, 07:55) RAVI_TANDON Okay, I still think it can't be done with the normal filter engine. As far as I know you can only to compare field values to static values, not other field values - at least I can't think of any case where this is possible. (26 Nov '12, 08:02) Jasper ♦♦ |
ok...thanks a lot, will try to use 1.9.0 release