Re: Display filters for application protocols

["news.gmane.com" <AndreasSander1 () gmx net>]

"Lukás Oliva" <olivalukas () gmail com> wrote in 
message news:AANLkTinczCeZZCCy5f_5WE8jVs6WNf63bObvxOc5mc2c () mail gmail com...
>  Hello to the community,
> I am doing some testing for the Diameter protocol and I noticed
> interesting behaviour of the display filters. I noticed that if I run
>
> tshark -r mypcap.pcap -R "diameter.cmd.code==302"
>
> then the output contains afterwards also Diameter packets with
> different diameter.cmd.code. I am not sure if it is actually a bug and
> how tshark handles this filtering for application protocols.
> E.g.: If there is a packet on containing more Diameter (or other
> application protocol) messages on IP (or possibly TCP) level, how is
> this will the display filter filter all of them?
>
> Just for the illustration:
>
> 1  TCP packet: Diameter message 1 (LIR), Diameter message 2 (MAR),
> Diameter message 3 (SAR)
>
> Running tshark -r mypcap.pcap -R "diameter.cmd.code==302" ... # so
> filtering out the LIR messages which have message code 302
>
> Should the tshark produce a list of LIR messages only?

You write, you have one TCP packet with several diameter messages. A display 
filter defines which _packets_ should be displayed. But the display filter 
does not define which details of one packet is displayed.

--
Andy



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe