This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Comparing a “display filter” field to several values

0

I'm using the following code in display filter:

wlan_mgt.supported_rates==0x12 &&
wlan_mgt.supported_rates==0x24 &&
wlan_mgt.supported_rates==0x48 &&
wlan_mgt.supported_rates==0x6c &&
wlan_mgt.supported_rates==0x82 &&
wlan_mgt.supported_rates==0x84 &&
wlan_mgt.supported_rates==0x8b &&
wlan_mgt.supported_rates==0x96

Is it possible to minimize it to something like this (doesn't work):

wlan_mgt.supported_rates==(0x12 && 0x24 && 0x48 && 0x6c && 0x82 && 0x84 && 0x8b && 0x96)

?

asked 13 Mar '14, 03:00

Dor_lan's gravatar image

Dor_lan
21338
accept rate: 0%

2 Answers:

1

frame contains 12:24:48:6c:82:84:8b:96

answered 13 Mar '14, 05:28

Roland's gravatar image

Roland
7642415
accept rate: 13%

I don't think that's correct, the byte sequence for "contains" is in sequential order, whereas the OP requires any of the values in a single field.

I don't think it can be done.

(13 Mar '14, 05:33) grahamb ♦

@grahamb: not "any of the values", but the packet has to contain this field multiple times, whereas each time it equals to another value in the list.

(13 Mar '14, 05:39) Dor_lan

OK misunderstood the question, the filter supplied by @Roland will work if the field is a single byte, the repeated fields follow one another with no intervening space and the repeated fields always have the value in the order specified.

@Dor_lan Have you tried the filter?

(13 Mar '14, 05:56) grahamb ♦

@grahamb: Yes, I've tried the display filter frame.number==1 && wlan_mgt.supported_rates contains 12:24:48:6c:82:84:8b:96 and tshark returned the error "tshark: wlan_mgt.supported_rates (type=unsigned, 1 byte) cannot participate in 'contains' comparison.".

(19 Mar '14, 06:37) Dor_lan

You're only able to run contains against the whole frame not that field, as each instance of the field can only contain 1 byte.

What happens with the filter as suggested by @Roland?

(19 Mar '14, 06:50) grahamb ♦

I am offended by the down vote. You just have to copy and paste the command, no need to change it. grahamb explained how the command works. If you want to narrow it down you can use 'frame[offset] contains byte:byte:byte' or just right click on Tag: Supported Rates and prepare filter for selected. I also agree that a display filter button or macro is the way to go if you need to filter for the above all the time.

(19 Mar '14, 08:38) Roland

@Roland: Sorry for the votedown, I misunderstood the usage with contains. I've tried frame.number==1 && frame contains 12:24:48:6c:82:84:8b:96 and also frame.number==1 && wlan_mgt contains 12:24:48:6c:82:84:8b:96 and both worked! Thank you :)

(19 Mar '14, 08:55) Dor_lan
showing 5 of 7 show 2 more comments

1

I don't think it's going to give you exactly what you want, but maybe a Display Filter Macro will help, by at least reducing the amount of typing you need to do?

answered 13 Mar '14, 11:17

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Though not a direct solution but does help! :)

(19 Mar '14, 06:38) Dor_lan