On Mon, May 11, 2009 at 02:15:22PM -0400, Yang Ning wrote:
> I have helped add/maintain a dissector that was written by someone
> else. Only recently did I discover that wireshark crashes if the
> display filter uses "contains".
That's not good.
> Is there something that I have to set so that "contains" keyword can
> be used in the display filter? How does it know what after which
> offset in the tvb, it is to search for?
Nothing special needs to be done. As an example, I just opened a
capture with IP/TCP/HTTP traffic in it and all of the following work
properly ("HTTP" is in one of the headers - it's not referring to the
HTTP dissector):
ip contains HTTP
tcp contains HTTP
http contains HTTP
I suspect that there is a bug in the dissector code. If you are allowed
to share it and a sample capture file with us, we may be able to help
solve it.
Steve