Wireshark mailing list archives
Re: Display filters by slice operator using byte offset
From: Jim Aragon <Jim () agdatasystems com>
Date: Wed, 21 Nov 2012 22:24:35 -0800
At 08:52 PM 11/21/2012, M Holt <m.iostreams () gmail com> wrote: >A given capture contains an IPv4 conversation, with an address of >192.168.0.125. Using the standard ip.addr, ip.src and ip.dst, I can >manipulate the displayed packets as expected. >When attempting to display the same data using the slice operator, I can >display all packets with a source IP address of 192.168.0.125: > > ip[12:4]==c0.a8.00.7d > >However, since the source IP field uses the entire 4 bytes, I would >expect that the following filter would provide the same results: > > ip[12:]==c0.a8.00.7d > >Because [i:] *should* indicate "from this byte offset to the end of the >field". However, this filter does not display any data.When using the slice operator, the term "field" refers to the portion of the packet that you've named in the protocol portion of your filter. So, "ip[12:]" means "start at an offset of 12 bytes from the beginning of the IP portion of the packet, and continue to the end of the IP portion of the packet." "Field" in this case refers to the entire IP portion of the packet, not the ip.src field.
>I switched the filter from "==" to "contains", and this does provide >data, but now I see something similar to using ip.addr == 192.168.0.125. > > ip[12:] contains c0.a8.00.7dAnd this makes sense, once you recognize that the "field" is the entire IP portion of the packet.
For what you are trying to accomplish, filtering on the source address, your first attempt ("ip[12:4]") was correct.
>Am I misunderstanding the usage of the operator? > [i:] start_offset = i, end_offset = end_of_fieldNo, you're not. You understand the operator correctly, you just didn't understand what "field" means in the context of the slice operator.
Jim
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Display filters by slice operator using byte offset M Holt (Nov 21)
- Re: Display filters by slice operator using byte offset Jim Aragon (Nov 21)
- Re: Display filters by slice operator using byte offset M Holt (Nov 22)
- Re: Display filters by slice operator using byte offset Jim Aragon (Nov 21)