Wireshark-users: Re: [Wireshark-users] Display filter help need. how to do these filters? DNS /L2

From: Christopher Maynard <Christopher.Maynard@xxxxxxxxx>
Date: Fri, 21 Feb 2014 02:09:14 +0000 (UTC)
Guy Harris <guy@...> writes:

> On Feb 20, 2014, at 2:10 PM, false <jctx09@...> wrote:
> 
> > Can someone provide an example please on how to do these filters
(display and/or capture)?
> 
> 	...
> 
> > 2) L2 Overhead - Can I get filter out all L2 overhead to see what the
total amount of data sent was with and
> without L2 overhead. ??
> 
> That's a different type of "filter" from a capture or display filter. 
Capture or display filters either
> match or don't match a packet, and filter out entire packets that don't
match.  You want a way to filter out
> part of all packets; Wireshark doesn't have a convenient mechanism to do that.

I think if someone was willing to spend some time to resolve bug 1885[1],
then the statistics would probably give you what you want.  This wouldn't
filter out the data per se, but it would yield more meaningful statistics.  

Until then, you could manually subtract the bytes for the overhead?

- Chris

[1]: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1885