Re: bitwise operating gives syntax error. + displaying a slice.

[Sake Blok <sake () euronet nl>]

On 8 apr 2012, at 17:37, Marilo wrote:

> I am having trouble trying to get the bitwise operator to function here without a syntax error
>
> This works
>
> C:\sdf>tshark -r asdf2 "ip[0]==45"

As that is indeed a valid *display filter*

> but when I put a bitwise AND in there, I get a syntax error
>
> C:\sdf>tshark -r asdf2 "ip[0]&0==45"
> tshark: Syntax error.
>  Note: That display filter code looks like a valid capture filter;
>        maybe you mixed them up?

That's because is it not a valid display filter. It is however a valid *capture* filter, as the error message suggests.
The bitwise & will currently result in a true or false and can not be compared to a value. 

> Also where in the manual does it speak about this? 

The chapters about capture filters and the chapter about display filters speak about this.

> And it'd be really useful in debugging a filter, if I could display, say, ip[0] or  ip[0]<<2
> Is that possible and is it possible to only display ip[0] or tcp[12] or whatever slice, of a packet?

It is currently not possible to display only a part of a field (or protocol header).

Hope this helps,


Sake
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe