Wireshark-users: Re: [Wireshark-users] Display filters by slice operator using byte offset
At 08:52 PM 11/21/2012, M Holt <m.iostreams@xxxxxxxxx>
wrote:
>A given capture contains an IPv4 conversation, with an address of
>192.168.0.125. Using the standard ip.addr, ip.src and ip.dst, I
can
>manipulate the displayed packets as expected.
>When attempting to display the same data using the slice operator, I
can
>display all packets with a source IP address of 192.168.0.125:
>
> ip[12:4]==c0.a8.00.7d
>
>However, since the source IP field uses the entire 4 bytes, I would
>expect that the following filter would provide the same results:
>
> ip[12:]==c0.a8.00.7d
>
>Because [i:] *should* indicate "from this byte offset to the end
of the
>field". However, this filter does not display any
data.
When using the slice operator, the term "field" refers to the
portion of the packet that you've named in the protocol portion of your
filter. So, "ip[12:]" means "start at an offset of 12
bytes from the beginning of the IP portion of the packet, and continue to
the end of the IP portion of the packet." "Field" in this
case refers to the entire IP portion of the packet, not the ip.src
field.
>I switched the filter from "==" to "contains",
and this does provide
>data, but now I see something similar to using ip.addr ==
192.168.0.125.
>
> ip[12:] contains c0.a8.00.7d
And this makes sense, once you recognize that the "field" is
the entire IP portion of the packet.
For what you are trying to accomplish, filtering on the source address,
your first attempt ("ip[12:4]") was correct.
>Am I misunderstanding the usage of the operator?
> [i:] start_offset =
i, end_offset = end_of_field
No, you're not. You understand the operator correctly, you just didn't
understand what "field" means in the context of the slice
operator.
Jim