Wireshark mailing list archives
Re: Display filter on smb2.fid
From: Guy Harris <guy () alum mit edu>
Date: Tue, 12 Dec 2017 18:28:31 -0800
On Dec 12, 2017, at 5:50 PM, Jeff Morriss <jeff.morriss.ws () gmail com> wrote:
On 12/12/2017 03:33 PM, Rodrigo Borges Pereira wrote:Hi, I'd like to match on partial smb2.fid, for example smb2.fid[0] == 00 But this seems to be an invalid expression. Is there any trick to it, or just not possible at all?That's not possible with that field. You can do partial matches on fields that are byte arrays, for example: eth.addr[0:3]==00:06:5B But GUIDs (such as smb2.fid) aren't treated as byte arrays so it doesn't work.
Is there a compelling reason *not* to change the display filter engine to allow field[start:len] for all field types, with the meaning "treat the bytes of the field as a byte array"? ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Display filter on smb2.fid Rodrigo Borges Pereira (Dec 12)
- Re: Display filter on smb2.fid Jeff Morriss (Dec 12)
- Re: Display filter on smb2.fid Guy Harris (Dec 12)
- Re: Display filter on smb2.fid Jeff Morriss (Dec 13)
- Re: Display filter on smb2.fid Guy Harris (Dec 12)
- Re: Display filter on smb2.fid Jeff Morriss (Dec 12)