|
I have noticed that when I select some part of a
frame and use the Display/Match or Display/Prepare it is not always working as
it should, or at least
as I think it
should.
If I select the source address in the IP header
and use Display/Prepare/Selected I get a filter "ip.src ==
10.10.10.178" and so on. A completely correct filter that will find all ip
packets where the source address is 10.10.10.178.
But if I select e.g. the "Community:
public" field of an SNMP-packet and use
Display/Prepare/Selected I get a filter "frame[47] ==
04:06:70:75:62:6c:69:63" and when using that filter I doesn't get any match
at all.
I have discovered that I can easily change the filter from
"frame[47] == 04:06:70:75:62:6c:69:63" to e.g. "frame[47:8] ==
04:06:70:75:62:6c:69:63"
(where 8 is the number of octets) or to "frame[47-54] ==
04:06:70:75:62:6c:69:63" and then I get a filter that finds the packets I
want.
The same seesm to apply to all results you get from
Display/Prepare and Display/Match where you get frame[x] .... and the entry on
the right side is more than one byte.
I have similar behaviour for both Ethereal 0.9.1 and 0.9.3.
I have not tried with the latest version
(0.9.5).
|