Re: Filtering on a field when there is more than one such field in a Wi-Fi packet

[Richard Sharpe <realrichardsharpe () gmail com>]

On Thu, Aug 13, 2020 at 11:14 PM Jaap Keuter <jaap.keuter () xs4all nl> wrote:
> Hi Richard,
>
> The display filter engine has no concept of individual instances of a field, either it’s there in a packet or not and 
> its value is used in the expression. Where it is in the packet and in what relation to other fields in a display 
> filter expression is of no concern of the display filter engine. It is a question that comes up once in a while, so 
> its not unheard of, but no one has dared to venture into redoing the whole display filter engine design to make this 
> possible. It would at least require an overhaul of the syntax, and I’m not even sure it is possible with the current 
> dissection engine design.

I'm thinking of a gross hack like:

wlan.tag.number == <some-value> and found.wlan.tag.length >= <some-other-value>

Perhaps found would have to be somewhat more verbose to avoid matching
against some obscure protocol, or perhaps it should be:

wlan.tag.number == <some-value> and found:wlan.tag.length >= <some-other-value>

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)(传说杜康是酒的发明者)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe