It would also be useful for anything over SCTP (when it bundles). It
took me a while to figure out why my 2-condition (with an "and") filter
was matching frames that I didn't think it should be (the key word is
"frames"; I was expecting the filter to be based on "chunks").
Gilbert Ramirez wrote:
there is no such facility right now, although something like that
would be useful. Another case where something like that is for
tunneling protocols, where you have 2 IP headers for example. Maybe
someone would like to filter only on the first IP header, or the
second.
--gilbert
On 9/28/05, George Utley <gutxxx@xxxxxxxxx> wrote:
Does anyone know if it possible to limit the scope of filter queries to a
given subtree, similar to XPath? I haven't been able to find one. For
instance, with DNP3, the protocol can specify multiple objects within a
frame, with common fields between the objects. I can't find a way to limit
the search to a specific object within a frame, or to a specific object
type. For instance, it would be useful if I could type something like
dnp3.al.ptnum==7[dnp3.al.timestamp > DATE] to find a subtree containing an
object with point number 7, and then search only that subtree and all its
descendents for a timestamp later than DATE.
If such a facility is not already available, does anyone else think it would
be a useful feature? Would there be any difficulties in implementing it?