On Dec 12, 2017, at 5:50 PM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:
> On 12/12/2017 03:33 PM, Rodrigo Borges Pereira wrote:
>> Hi,
>> I'd like to match on partial smb2.fid, for example smb2.fid[0] == 00
>> But this seems to be an invalid expression. Is there any trick to it, or just not possible at all?
>
> That's not possible with that field. You can do partial matches on fields that are byte arrays, for example:
>
> eth.addr[0:3]==00:06:5B
>
> But GUIDs (such as smb2.fid) aren't treated as byte arrays so it doesn't work.
Is there a compelling reason *not* to change the display filter engine to allow field[start:len] for all field types, with the meaning "treat the bytes of the field as a byte array"?