Wireshark-users: Re: [Wireshark-users] Custom Columns & combining filters

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Keith French" <keithfrench@xxxxxxxxxxxxx>
Date: Thu, 8 Oct 2009 11:41:41 +0100
Thanks for everyone's help on this, I have found that using the source & destination address columns will give me basically what I want. They show either NT or TE, which strictly speaking is wrong for DPNSS (should be PBX A or PBX B). However, I can live with this.

________________________________

From: wireshark-users-bounces@xxxxxxxxxxxxx on behalf of Martin Visser
Sent: Wed 07/10/2009 21:16
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Custom Columns & combining filters


I think that the problem is that Keith has missed is that field names ARE filters, but unfortunately the converse is not true. For Keith's benefit when you use one or fields to construct a filter, such as "(dpnss.cc_msg_type)||(dpnss.e2e_msg_type)" the result is effectively a logical true or false. If used as a display filter this simply determines whether a packet is displayed or not. The only way to display a new field whose contents are either the contents from this field or that field (and you might have to deal with the case of them both having contents) would be to create a new subdissector (which could be done in LUA). 

The bug Jeff refers to also seems to cover it. I do think some sort of calculated field would be cool.

Even easier would be two create two custom columns, one for dpnss.cc_msg_type and one for dpnss.e2e_msg_type and put up with the lost real estate. 


Regards, Martin

MartinVisser99@xxxxxxxxx



On Thu, Oct 8, 2009 at 3:40 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:



	On Oct 7, 2009, at 2:32 AM, Keith French wrote:
	
	> In the latest version of Wireshark, when you add a custom column
	> under the Preferences/User Interface, is it possible to define the
	> filter using two or more expressions?
	
	
	I don't see any filter in the dialog box for a column.  I do see
	something that says "Field name", but nothing that says "Filter".
	

	> Either of these two filters are valid on their own, but if I try to
	> combine them to be one column the syntax checker remains a red
	> background:-
	>
	> (dpnss.cc_msg_type)||(dpnss.e2e_msg_type)
	
	
	That's not a field name.  What is it you're trying to do?
	
	___________________________________________________________________________
	Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
	Archives:    http://www.wireshark.org/lists/wireshark-users
	Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
	            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

<<winmail.dat>>