Prigge Scott wrote:
Using version 0.99.2, and am struggling to create a simple display
filter using byte offset notation. I want to simply capture traffic
where the first two bytes of the source address are 68.154.
Then you should be using a capture filter, not a display filter.
Shouldn't
this filter be as simple as ip[12:2]==68 154?
No, the capture filter should be as simple as "ip src net 68.154.0.0/16".
If you want to filter traffic you've *already captured*, *that* would be
a display filter, and that would be, as Stephen Fisher noted, "ip.src ==
68.154.0.0/16"
I've tried lots of
different permutations, but can't get any to work. I have created the
same offset filter in another product, Network Instruments Observer, and
I get the results I would expect.
You shouldn't expect the same filter, with the same syntax, to
necessarily work in different products. In libpcap filters (which is
what Wireshark capture filters are), you compare against a *single
number*, so you'd do "ip[12:2] == 68*256+154". Display filter byte
offset notation is different - you'd compare against a byte string, e.g.
68:154.