Would it be possible to change the created filters that lack proper display
filters
to be byte offsets from the start of the encapsulating protocol
instead of the beginning of the frame?
I.e. creating filters like snmp[x-y]==a:b:c... instead of frame[x-y]==...
At least it would then handle cases when layer3-4 headers change in size
during a conversation.
It would also work when the snmp packet were encapsulated inside ICMP etc
----- Original Message -----
From: "Guy Harris"
Sent: Wednesday, July 24, 2002 6:41 AM
Subject: Re: [Ethereal-users] Display/Match problem - frame[x]
> On Tue, Jul 23, 2002 at 01:09:25PM +0200, Martin Regner wrote:
> > I have similar behaviour for both Ethereal 0.9.1 and 0.9.3. I have
> > not tried with the latest version (0.9.5).
>
> You *should* try it with 0.9.5, because the bug that caused the octet
> length to be left out of constructed "frame[]" filters was fixed in
> either 0.9.4 or 0.9.5 (I forget which).
>
> *However*, note that there's still no *guarantee* that it'll match.
>
> Lines in the protocol tree pane (second pane) might, or might not, have
> a "named field" associated with them.
>
> The IP source address line has the named field "ip.src" associated with
> it, so "Match" and "Prepare" can construct expressions that test the
> value of that field.
>
> The SNMP community line, however, doesn't have a named field associated
> with it, so "Match" and "Prepare" can't construct expressions that test
> the value of that field - they only construct expressions that match
> bytes at a particular offset from the beginning of the packet, so if,
> for example, the IP header of some SNMP request other than the one on
> which you did "Match" or "Prepare" has options in it, the expression
> won't match the community field.