Wireshark-users: Re: [Wireshark-users] bitwise operating gives syntax error. + displaying a slice

From: Sake Blok <sake@xxxxxxxxxx>
Date: Tue, 10 Apr 2012 08:47:50 +0200
On 8 apr 2012, at 17:37, Marilo wrote:

> I am having trouble trying to get the bitwise operator to function here without a syntax error
> 
> This works
> 
> C:\sdf>tshark -r asdf2 "ip[0]==45"

As that is indeed a valid *display filter*

> but when I put a bitwise AND in there, I get a syntax error
> 
> C:\sdf>tshark -r asdf2 "ip[0]&0==45"
> tshark: Syntax error.
>  Note: That display filter code looks like a valid capture filter;
>        maybe you mixed them up?

That's because is it not a valid display filter. It is however a valid *capture* filter, as the error message suggests.
The bitwise & will currently result in a true or false and can not be compared to a value. 

> Also where in the manual does it speak about this? 

The chapters about capture filters and the chapter about display filters speak about this.

> And it'd be really useful in debugging a filter, if I could display, say, ip[0] or  ip[0]<<2
> Is that possible and is it possible to only display ip[0] or tcp[12] or whatever slice, of a packet?

It is currently not possible to display only a part of a field (or protocol header).

Hope this helps,


Sake