Testing display filters using byte offset instead of standard filters, I
am getting unexpected behavior as noted below:
A given capture contains an IPv4 conversation, with an address of
192.168.0.125. Using the standard ip.addr, ip.src and ip.dst, I can
manipulate the displayed packets as expected.
When attempting to display the same data using the slice operator, I can
display all packets with a source IP address of 192.168.0.125:
ip[12:4]==c0.a8.00.7d
This makes sense, because I am selecting the 12th byte offset ( source
address ), followed by the hex representation of 192.168.0.125.
However, since the source IP field uses the entire 4 bytes, I would
expect that the following filter would provide the same results:
ip[12:]==c0.a8.00.7d
Because [i:] *should* indicate "from this byte offset to the end of the
field". However, this filter does not display any data.
I switched the filter from "==" to "contains", and this does provide
data, but now I see something similar to using ip.addr == 192.168.0.125.
ip[12:] contains c0.a8.00.7d
In other words, I am seeing all packets that contain this IP address,
whether source OR destination.
Documentation on this particular area is fairly sparse, with most
examples just being repeats of the same couple of paragraphs of the
Wireshark documentation:
http://www.wireshark.org/docs/man-pages/wireshark-filter.html#the_slice_operator
Am I misunderstanding the usage of the operator?
[i:j] i = start_offset, j = length
[i-j] i = start_offset, j = end_offset, inclusive.
[i] i = start_offset, length = 1
[:j] start_offset = 0, length = j
[i:] start_offset = i, end_offset = end_of_field
Best regards,
Mike