Wireshark-users: Re: [Wireshark-users] Display filter on smb2.fid

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Wed, 13 Dec 2017 09:12:59 -0500


On Tue, Dec 12, 2017 at 9:28 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
On Dec 12, 2017, at 5:50 PM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:

> On 12/12/2017 03:33 PM, Rodrigo Borges Pereira wrote:
>> Hi,
>> I'd like to match on partial smb2.fid, for example smb2.fid[0] == 00
>> But this seems to be an invalid _expression_. Is there any trick to it, or just not possible at all?
>
> That's not possible with that field.  You can do partial matches on fields that are byte arrays, for example:
>
> eth.addr[0:3]==00:06:5B
>
> But GUIDs (such as smb2.fid) aren't treated as byte arrays so it doesn't work.

Is there a compelling reason *not* to change the display filter engine to allow field[start:len] for all field types, with the meaning "treat the bytes of the field as a byte array"?

For GUIDs I really don't see a reason not to.

Things like FT_*INTs might require a bit more thought to ensure endianism doesn't cause trouble - presumably the bytes would be presented (and tested) in packet-byte-order (not the host-byte-order that I think we store them in).