On Aug 12, 2008, at 3:08 PM, Marlon Duksa wrote:
frame[offset_of_src_addr_number_N:6] == 00:12:1e:9b:85:fe
But with this, one single address is filtered. What I need is to
display in a column the eth.src for specific header. This src
address is changing.
If you implement the {n} operator, then this alone is probably
enough and you don't need anything else. No?
Not necessarily.
Somebody might want to specify a filter based on encapsulation
details, rather than based on instance number, e.g. if you have
multiple types of traffic on a network, where both forms of
encapsulation have two layers of IP header, somebody might only be
interested in, say, ETH|IP|GRE|MPLS|ETH|MPLS|ETH|IP rather than, say,
ETH|IP|GRE|IP; you can't handle the latter with just {n}.
In addition, some people might find Luis' syntax easier to deal with
than {n}.
{n} might be necessary, but I'm not close to being convinced it's
sufficient.