Trying to filter out smb2 create requests that have an empty value ((smb2.cmd == 5) && (smb2.flags.response == 0) && !(smb2.olb.length == 0)) and with !(smb2.olb.length == 0) it returns nothing. If I search (smb2.olb.length == 0) instead it returns everything that (smb2.cmd == 5) && (smb2.flags.response == 0) returns. If I change the length to anything other than 0, I get only packets with a blob length of that value, so it otherwise works as expected.
Is this expected behavior? I tried anding the value against 0x1111 and checking if it equaled 0x0000, which yielded the same results as just checking if it equaled 0. Same with checking if it's greater than 0.