https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3242
Guy Harris <guy@xxxxxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS/Version|Windows XP |All
Platform|PC |All
--- Comment #1 from Guy Harris <guy@xxxxxxxxxxxx> 2009-02-06 17:26:45 PDT ---
tshark: Neither "http.header.sgsn" nor "6030" are field or protocol names.
means that, well, neither "http.header.sgsn" nor "6030" are, at the time TShark
starts up - which is the time when it parses filter expressions passed to it on
the command line - are field or protocol names.
That's because the HTTP dissector doesn't know about that field at start-up
time; if it creates the field when it first sees it in a packet, that can't be
made to work the way you want with TShark, and will only *partially* work the
way you want with Wireshark - you couldn't, for example, use that field in a
coloring rule, as those are parsed before Wireshark starts reading the capture.
An alternative might be to have a list of headers that's read from a file in
the user's Wireshark preferences directory, perhaps editable with a UAT, and/or
have a system file giving a "master" list of headers for all users of
Wireshark, in addition to the built-in headers (many of which are there because
Wireshark needs to interpret them in order to dissect the reply).
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.