On Jun 5, 2010, at 2:37 AM, Rohit Mediratta wrote:
> I am trying to generate a display filter which is based on the the value of a TLV within the pcap.
> Let me provide an example of a display filter I am trying to generate in the pcap that I have.
>
> 1. Packet A has a TLV with value1 and another TLV with value2.
> 2. Packet B has a TLV with value2 and a TLV with value3.
> 3. Packet C has a TLV with value3.
> 4. Packet D has a TLV with value2.
>
> I'd like my display filter to be
> "special_display_filter == value1"
> When I apply this filter, I'd like all 4 packets to be displayed.
Display filters can test the fields in a given packet, but they do not have any mechanism for maintaining state, so they cannot choose to match a packet that has a TLV with some value that some TLV in a *previous* packet that matched the filter has - they can only choose to match a specified (constant) value.