Wireshark-dev: Re: [Wireshark-dev] filters & diameter

From: "Martin Mathieson" <martin.r.mathieson@xxxxxxxxxxxxxx>
Date: Tue, 10 Jul 2007 18:49:37 +0100
OK, I just implemented (2) with change 22284.
You should be able to right-click on a whole AVP that matches the code
you're interested in, choose 'Prepare as Filter | Selected', edit the
last 4 bytes and apply it.

Martin

On 7/10/07, Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx> wrote:
There are several ways this could be tackled:

(1) A script.  Export capture to PDML, parse output and match/check
them yourself
(2) We could add a new filterable field, diameter.avp, whose type was
hex data.  You could right-click to create a filter for that AVP, then
edit the last word to check for the value you want (you could sort of
do this now, but it would only filter at a fixed position within the
message)
(3) The diameter dissector could be changed to generate filterable
fields for each AVP.  Then you could filter on e.g.

diameter.avp.Role-of-Node.value == 1

I could do (2), but I'm not volunteering for (3).

Martin

On 7/10/07, Abhik Sarkar <sarkar.abhik@xxxxxxxxx> wrote:
> Hi Christian,
>
> As you are probably aware, version 0.99.6 came out a few days back
> which I am sure has several fixes, including those for the diameter
> dissector. Have you tried using the latest version?
>
> Hope this helps,
> Abhik.
>
> On 7/10/07, cco <cristian.constantin@xxxxxxxxx> wrote:
> > hi!
> >
> > has anyone tested a filter like this:
> >
> > (diameter.avp.code == 829) && (diameter.avp.data.uint32 == 1)
> >
> > is it suppossed to work? is it actually working in your config/ver?
> > in my version, it does not in the sense that it will always show all the
> > diameter commands having an avp with the code 829 but _not_ the ones
> > in which this avp has the value 1.
> >
> > I am using Version 0.99.4 / linux
> >
> > thanks!
> > bye now!
> > cristian
> > _______________________________________________
> > Wireshark-dev mailing list
> > Wireshark-dev@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-dev
> >
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>