[chuck c <bubbasnmp@xxxxxxxxx>]

The current dev (3.7) branch added supported for layers:

https://gitlab.com/wireshark/wireshark/-/merge_requests/6759

dfilter: Add syntax to match specific layers in the protocol stack

See current wireshark-filter(4) man page for syntax:

https://gitlab.com/wireshark/wireshark/-/blob/master/doc/wireshark-filter.adoc

Depending on how the dissector pulls out the fields, that's probably not the solution you want but similar syntax.

Are you looking for a specific occurrence (instance) of a field or is the nesting syntax important?

https://ask.wireshark.org/question/13171/can-i-limit-the-display-filter-to-an-specific-occurrence/

Can I limit the display filter to an specific occurrence

And as always, please provide a sample pcap. :-)

On Sat, Jul 30, 2022 at 8:01 AM Triton Circonflexe <triton+enuiqr@xxxxxxxxxx> wrote:

Adding a whole pile on the pile, Thrift faces the same issue: no only structs can contain structs but even with a specific dissector, the IDL definition allows for recursive structures (directly or indirectly).

I didn’t check the other protocol generators (Google Protobuf, Apache Etch, for the ones I know are supported by Wireshark) but it might be the case as well in some of them.

All in all, I think there is a real use for some way of filtering sub-structures in more cases than we might think of.

Le sam. 30 juil. 2022 à 12:28, John Thacker <johnthacker@xxxxxxxxx> a écrit :

To pile on more, there's the same enhancement request for Diameter (also generated) that's ten years old:

https://gitlab.com/wireshark/wireshark/-/issues/6816

On Sat, Jul 30, 2022, 3:12 AM Roland Knall <rknall@xxxxxxxxx> wrote:

Just to pile on, a very similar issue exists with OPC UA, more because the dissector is generated and the generator is not respecting naming schemes but they face the same issue.

Kind regards
Roland

> Am 29.07.2022 um 18:28 schrieb Richard Sharpe <realrichardsharpe@xxxxxxxxx>:
>
> Hi folks,
>
> The wonderful people working on 802.11 have started using recursive structures.
>
> That is, they are embedding Info Elements (IEs) within Info Elements
> and there can be multiple IEs of the same type within an IE within a
> Beacon or Probe etc frame.
>
> Now some people are asking to be able to refer to a specific embedded
> IE within an IE.
>
> That would seem to present problems because there is no way to
> concatenate filter expressions.
>
> About the best I can think of is pass some context to IE dissectors
> via the pinfo field and to insert that into field values via a
> proto_item_append_text ...
>
> Are there any other thoughts about how to deal with this issue?
>
> --
> Regards,
> Richard Sharpe
> (何以解憂？唯有杜康。--曹操)(传说杜康是酒的发明者)
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe