Wireshark mailing list archives

Re: Display filters by slice operator using byte offset

From: M Holt <m.iostreams () gmail com>
Date: Thu, 22 Nov 2012 06:23:27 -0800

That makes perfect sense - thanks Jim

--
Sent via carrier pigeon

On Nov 21, 2012, at 22:24, Jim Aragon <Jim () agdatasystems com> wrote:

At 08:52 PM 11/21/2012, M Holt <m.iostreams () gmail com> wrote:

A given capture contains an IPv4 conversation, with an address of 
192.168.0.125.  Using the standard ip.addr, ip.src and ip.dst, I can 
manipulate the displayed packets as expected.
When attempting to display the same data using the slice operator, I can 
display all packets with a source IP address of 192.168.0.125:

    ip[12:4]==c0.a8.00.7d

However, since the source IP field uses the entire 4 bytes, I would 
expect that the following filter would provide the same results:

    ip[12:]==c0.a8.00.7d

Because [i:] *should* indicate "from this byte offset to the end of the 
field".  However, this filter does not display any data.


When using the slice operator, the term "field" refers to the portion of the packet that you've named in the protocol 
portion of your filter. So, "ip[12:]" means "start at an offset of 12 bytes from the beginning of the IP portion of 
the packet, and continue to the end of the IP portion of the packet." "Field" in this case refers to the entire IP 
portion of the packet, not the ip.src field.

I switched the filter from "==" to "contains", and this does provide 
data, but now I see something similar to using ip.addr == 192.168.0.125.

    ip[12:] contains c0.a8.00.7d


And this makes sense, once you recognize that the "field" is the entire IP portion of the packet.

For what you are trying to accomplish, filtering on the source address, your first attempt ("ip[12:4]") was correct.

Am I misunderstanding the usage of the operator?

    [i:]     start_offset = i, end_offset = end_of_field


No, you're not. You understand the operator correctly, you just didn't understand what "field" means in the context 
of the slice operator.

Jim
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Display filters by slice operator using byte offset M Holt (Nov 21)
- Re: Display filters by slice operator using byte offset Jim Aragon (Nov 21)
  - Re: Display filters by slice operator using byte offset M Holt (Nov 22)