Wireshark-dev: Re: [Wireshark-dev] dfilter functions

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Dario Lombardo <lomato@xxxxxxxxx>
Date: Mon, 7 Jan 2019 15:49:25 +0100
I agree. They look the same function, except for the limit about types. They look a bit confusing at a first glance. Unless they're needed for something, I'd remove one.

On Mon, Jan 7, 2019 at 2:14 PM Peter Wu <peter@xxxxxxxxxxxxx> wrote:
The online manual reflects 2.6.5, but the manual was updated in master,
https://code.wireshark.org/review/27146

Perhaps size should be removed (as argued in that commit message)?

Kind regards,
Peter

On Sun, Jan 06, 2019 at 02:20:22PM +0000, Michael Mann via Wireshark-dev wrote:
> len - Checks the string length of "string types" (FT_STRING, FT_STRINGZ, FT_UINT_STRING, FT_STRINGZPAD) or array length of "byte types" (FT_BYTES, FT_UINT_BYTES) and does a compare.
> Examples:len(smpp.message_id)  > 10len(smpp.message) > 25
> size - Checks the size of the field in a packet.  Can be used for strings/bytes like len() above, but can also be used for integer fields that vary in length (1-4 bytes)
> Examples:size(eth.type) == 2       (This is just for demonstration purposes.  Obviously the size of the eth.type field could only be 2 but I couldn't quickly think of a "popular" field with varying integer length)    
> size(tcp.options) > 7
>
> count - Number of times a field is found in a single frame.  This can be used to help identify "tunneling" or if multiple PDUs are in a single frame.
> Examples:count(ip.src) > 1
> count(smpp.sequence_number) > 1    (Since sequence_number is required for the packet, having more than one shows frames with multiple PDUs.
>
>
> -----Original Message-----
> From: Dario Lombardo <lomato@xxxxxxxxx>
> To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
> Sent: Sun, Jan 6, 2019 4:35 am
> Subject: [Wireshark-dev] dfilter functions
>
> HiI've noticed that the online documentation about dfilter functions just talks about 2 of them, upper and lower:
> https://www.wireshark.org/docs/man-pages/wireshark-filter.html
> but there are more that are undocumented AFAICS:
> - len- size- count
> Can someone explain me their purpose and give a working example on some protocol?Thanks.Dario.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe


-- 
Naima is online.