Wireshark · Wireshark-dev: [Wireshark-dev] display filter on a field that appears more than once in a message

Wireshark-dev: [Wireshark-dev] display filter on a field that appears more than once in a messa

From: Andrew Schweitzer <a.schweitzer.grps@xxxxxxxxx>

Date: Wed, 06 Sep 2006 20:30:15 -0400

I have a field which can appear more than once in a message. When itappears only once I seem to have no trouble filtering on it. When itappears more than once I seem to getting the wrong results.


Maybe someone can explain what I'm doing wrong?

This is a customer dissector.

I have these fields:

-->header.msg_id: single_packet or multiple_packet-->payload.packet.a_field


If I search on

protocol.header.msg_id == single_packet and (payload.packet.a_field != 1and payload.packet.a_field != 2)


everything works fine.

However, if I search on

protocol.header.msg_id == multiple_packet and (payload.packet.a_field !=1 and payload.packet.a_field != 2)


I seem to get any packet that is *either* a_field != 1 *or* a_field != 2

Any suggestions on how to fix? I assume it has to do with how I registerthese fields with wireshark in the dissector code.


Thanks

Andy

Follow-Ups:
- Re: [Wireshark-dev] display filter on a field that appears more than once in a message
  - From: ronnie sahlberg

Prev by Date: Re: [Wireshark-dev] A plugin dissector and fragmented messages
Next by Date: Re: [Wireshark-dev] display filter on a field that appears more than once in a message
Previous by thread: Re: [Wireshark-dev] Portability issue of capture files.
Next by thread: Re: [Wireshark-dev] display filter on a field that appears more than once in a message
Index(es):
- Date
- Thread