Wireshark-users: [Wireshark-users] Display filters by slice operator using byte offset

From: M Holt <m.iostreams@xxxxxxxxx>
Date: Wed, 21 Nov 2012 20:52:03 -0800
Testing display filters using byte offset instead of standard filters, I am getting unexpected behavior as noted below:

A given capture contains an IPv4 conversation, with an address of 192.168.0.125. Using the standard ip.addr, ip.src and ip.dst, I can manipulate the displayed packets as expected. When attempting to display the same data using the slice operator, I can display all packets with a source IP address of 192.168.0.125:

    ip[12:4]==c0.a8.00.7d

This makes sense, because I am selecting the 12th byte offset ( source address ), followed by the hex representation of 192.168.0.125. However, since the source IP field uses the entire 4 bytes, I would expect that the following filter would provide the same results:

    ip[12:]==c0.a8.00.7d

Because [i:] *should* indicate "from this byte offset to the end of the field". However, this filter does not display any data. I switched the filter from "==" to "contains", and this does provide data, but now I see something similar to using ip.addr == 192.168.0.125.

    ip[12:] contains c0.a8.00.7d

In other words, I am seeing all packets that contain this IP address, whether source OR destination.

Documentation on this particular area is fairly sparse, with most examples just being repeats of the same couple of paragraphs of the Wireshark documentation:

http://www.wireshark.org/docs/man-pages/wireshark-filter.html#the_slice_operator

Am I misunderstanding the usage of the operator?

    [i:j]    i = start_offset, j = length
    [i-j]    i = start_offset, j = end_offset, inclusive.
    [i]      i = start_offset, length = 1
    [:j]     start_offset = 0, length = j
    [i:]     start_offset = i, end_offset = end_of_field

Best regards,
Mike