Wireshark mailing list archives

Re: dfilter functions

From: Peter Wu <peter () lekensteyn nl>
Date: Mon, 7 Jan 2019 14:13:24 +0100

The online manual reflects 2.6.5, but the manual was updated in master,
https://code.wireshark.org/review/27146

Perhaps size should be removed (as argued in that commit message)?

Kind regards,
Peter

On Sun, Jan 06, 2019 at 02:20:22PM +0000, Michael Mann via Wireshark-dev wrote:

len - Checks the string length of "string types" (FT_STRING, FT_STRINGZ, FT_UINT_STRING, FT_STRINGZPAD) or array 
length of "byte types" (FT_BYTES, FT_UINT_BYTES) and does a compare.
Examples:len(smpp.message_id)  > 10len(smpp.message) > 25
size - Checks the size of the field in a packet.  Can be used for strings/bytes like len() above, but can also be 
used for integer fields that vary in length (1-4 bytes)
Examples:size(eth.type) == 2       (This is just for demonstration purposes.  Obviously the size of the eth.type 
field could only be 2 but I couldn't quickly think of a "popular" field with varying integer length)    
size(tcp.options) > 7

count - Number of times a field is found in a single frame.  This can be used to help identify "tunneling" or if 
multiple PDUs are in a single frame.
Examples:count(ip.src) > 1
count(smpp.sequence_number) > 1    (Since sequence_number is required for the packet, having more than one shows 
frames with multiple PDUs.


-----Original Message-----
From: Dario Lombardo <lomato () gmail com>
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Sent: Sun, Jan 6, 2019 4:35 am
Subject: [Wireshark-dev] dfilter functions

HiI've noticed that the online documentation about dfilter functions just talks about 2 of them, upper and lower:
https://www.wireshark.org/docs/man-pages/wireshark-filter.html
but there are more that are undocumented AFAICS:
- len- size- count
Can someone explain me their purpose and give a working example on some protocol?Thanks.Dario.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

dfilter functions Dario Lombardo (Jan 06)
- <Possible follow-ups>
- Re: dfilter functions Michael Mann via Wireshark-dev (Jan 06)
  - Re: dfilter functions Peter Wu (Jan 07)
    - Re: dfilter functions Dario Lombardo (Jan 07)