On Mar 8, 2011, at 11:06 AM, Sake Blok wrote:
> I think you can do it with:
>
> diameter.cmd.code==302 and not diameter.cmd.code!=302
That will display frames that have an LIR message and no non-LIR messages; it won't display frames that contain both LIR and non-LIR messages, as the first test would succeed but the second test would fail, so it won't display *all* LIR messages.
The problem is what he wants would require that Wireshark/TShark have a sequence of individual DIAMETER messages, not a sequence of individual frames+reassembled information, so that the filter could act on individual DIAMETER messages; *shark currently has no notion of individual items in the packet sequence being higher-level packets rather than link-layer frames, so that's currently not possible.