Re: Generation of display filter based on a field in the pcap

[Guy Harris <guy () alum mit edu>]

On Jun 5, 2010, at 2:37 AM, Rohit Mediratta wrote:

>   I am trying to generate a display filter which is based on the the value of a TLV within the pcap.
> Let me provide an example of a display filter I am trying to generate in the pcap that I have.
>
> 1. Packet A has a TLV with value1 and another TLV with value2.
> 2. Packet B has a TLV with value2 and a TLV with value3.
> 3. Packet C has a TLV with value3.
> 4. Packet D has a TLV with value2.
>
> I'd like my display filter to be
> "special_display_filter == value1"
> When I apply this filter, I'd like all 4 packets to be displayed.

Display filters can test the fields in a given packet, but they do not have any mechanism for maintaining state, so 
they cannot choose to match a packet that has a TLV with some value that some TLV in a *previous* packet that matched 
the filter has - they can only choose to match a specified (constant) value.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe