Re: Filtering on a field when there is more than one such field in a Wi-Fi packet

["Maynard, Chris via Wireshark-dev" <wireshark-dev () wireshark org>]

There’s also a proposal to bring occurrence-matching to filtering in 
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3791, but even if this were to be implemented it would still have 
its limits since it would only match packets where the occurrence was the same for all packets, which isn’t necessarily 
going to be the case.

- Chris

From: Wireshark-dev <wireshark-dev-bounces () wireshark org> On Behalf Of Graham Bloice
Sent: Friday, August 14, 2020 3:31 AM
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] Filtering on a field when there is more than one such field in a Wi-Fi packet

tshark has the "-E occurrence=f|l|a" option to print the first, last or all occurence of the field in a packet but that 
is only filtering the output when using -T fields, not matching packets.

On Fri, 14 Aug 2020 at 07:14, Jaap Keuter <jaap.keuter () xs4all nl<mailto:jaap.keuter () xs4all nl>> wrote:
Hi Richard,

The display filter engine has no concept of individual instances of a field, either it’s there in a packet or not and 
its value is used in the expression. Where it is in the packet and in what relation to other fields in a display filter 
expression is of no concern of the display filter engine. It is a question that comes up once in a while, so its not 
unheard of, but no one has dared to venture into redoing the whole display filter engine design to make this possible. 
It would at least require an overhaul of the syntax, and I’m not even sure it is possible with the current dissection 
engine design.

Thanks,
Jaap

> On 13 Aug 2020, at 22:12, Richard Sharpe <realrichardsharpe () gmail com<mailto:realrichardsharpe () gmail com>> 
> wrote:
>
> Hi folks,
>
> I faced an interesting problem recently.
>
> I was typing to find a particular tagged item with a tag length
> greater than a specific size.
>
> This presented a problem because many Wi-Fi packets have tagged fields
> and a search filter like wlan.tag.number == X and wlan.tag.length >=
> some-value is prone to false positives if any tagged field in the
> frame has that number and any other tagged field in the frame has a
> length ge the value.
>
> How can I limit the length comparison to the tag found in the first comparison?
>
> Do we even have that concept?

CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and 
may contain proprietary, confidential or trade secret information. This message is intended solely for the use of the 
addressee. If you are not the intended recipient and have received this message in error, please delete this message 
from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is 
strictly prohibited.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe