Wireshark · Wireshark-dev: Re: [Wireshark-dev] Is "tcp.len < -1" a valid display filter?

Wireshark-dev: Re: [Wireshark-dev] Is "tcp.len < -1" a valid display filter?

From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>

Date: Fri, 28 Oct 2011 11:06:32 -0600

On Fri, Oct 28, 2011 at 09:00:59AM +0200, Stig Bjï¿½rlykke wrote:
> On Thu, Oct 27, 2011 at 9:12 PM, Stephen Fisher
> <steve@xxxxxxxxxxxxxxxxxx> wrote:
> > Is there a problem with accepting -1 in that filter?
> 
> It's not a problem, but it's a bug in the logic because the filter 
> does not do what it's supposed to.

I understand now: instead of the filter showing tcp.len that is less 
than -1 (so -2 and so on), it's showing less than the underflow value of 
MAXINT.

> > If so, should the filter be checked against possible values of the 
> > value, i.e. tcp.len is a FT_UINT32 so only accept unsigned 32-bit 
> > values and mark the background as red / bad filter if not?
> 
> The previously attached patch does check for signed/unsigned issues, 
> and will mark the filter as bad/red. I think it would be nice to check 
> all values if they are valid for the given field.

Good idea.  I wonder how much work that would be... never thought of 
that.

Follow-Ups:
- Re: [Wireshark-dev] Is "tcp.len < -1" a valid display filter?
  - From: Stig Bjørlykke

References:
- [Wireshark-dev] Is "tcp.len < -1" a valid display filter?
  - From: Stig Bjørlykke
- Re: [Wireshark-dev] Is "tcp.len < -1" a valid display filter?
  - From: Stephen Fisher
- Re: [Wireshark-dev] Is "tcp.len < -1" a valid display filter?
  - From: Stig Bjørlykke

Prev by Date: Re: [Wireshark-dev] [Wireshark-commits] rev 39487: /trunk/debian/ /trunk/debian/: control
Next by Date: Re: [Wireshark-dev] Is "tcp.len < -1" a valid display filter?
Previous by thread: Re: [Wireshark-dev] Is "tcp.len < -1" a valid display filter?
Next by thread: Re: [Wireshark-dev] Is "tcp.len < -1" a valid display filter?
Index(es):
- Date
- Thread