Wireshark mailing list archives

Re: Custom Columns & combining filters

From: "Keith French" <keithfrench () btconnect com>
Date: Thu, 8 Oct 2009 11:41:41 +0100

Thanks for everyone's help on this, I have found that using the source & destination address columns will give me 
basically what I want. They show either NT or TE, which strictly speaking is wrong for DPNSS (should be PBX A or PBX 
B). However, I can live with this.

________________________________

From: wireshark-users-bounces () wireshark org on behalf of Martin Visser
Sent: Wed 07/10/2009 21:16
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Custom Columns & combining filters

I think that the problem is that Keith has missed is that field names ARE filters, but unfortunately the converse is 
not true. For Keith's benefit when you use one or fields to construct a filter, such as 
"(dpnss.cc_msg_type)||(dpnss.e2e_msg_type)" the result is effectively a logical true or false. If used as a display 
filter this simply determines whether a packet is displayed or not. The only way to display a new field whose contents 
are either the contents from this field or that field (and you might have to deal with the case of them both having 
contents) would be to create a new subdissector (which could be done in LUA). 

The bug Jeff refers to also seems to cover it. I do think some sort of calculated field would be cool.

Even easier would be two create two custom columns, one for dpnss.cc_msg_type and one for dpnss.e2e_msg_type and put up 
with the lost real estate. 

Regards, Martin

MartinVisser99 () gmail com

On Thu, Oct 8, 2009 at 3:40 AM, Guy Harris <guy () alum mit edu> wrote:

        On Oct 7, 2009, at 2:32 AM, Keith French wrote:

        > In the latest version of Wireshark, when you add a custom column
        > under the Preferences/User Interface, is it possible to define the
        > filter using two or more expressions?

        I don't see any filter in the dialog box for a column.  I do see
        something that says "Field name", but nothing that says "Filter".

        > Either of these two filters are valid on their own, but if I try to
        > combine them to be one column the syntax checker remains a red
        > background:-
        >
        > (dpnss.cc_msg_type)||(dpnss.e2e_msg_type)

        That's not a field name.  What is it you're trying to do?

        ___________________________________________________________________________
        Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
        Archives:    http://www.wireshark.org/lists/wireshark-users
        Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
                    mailto:wireshark-users-request () wireshark org?subject=unsubscribe

<<winmail.dat>>

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Custom Columns & combining filters Keith French (Oct 07)
- Re: Custom Columns & combining filters Jeff Morriss (Oct 07)
- Re: Custom Columns & combining filters Guy Harris (Oct 07)
  - Re: Custom Columns & combining filters Martin Visser (Oct 07)
    - Re: Custom Columns & combining filters Keith French (Oct 08)