Re: Display filters for application protocols

[Guy Harris <guy () alum mit edu>]

On Mar 8, 2011, at 10:43 AM, Lukáš Oliva wrote:

> actually this is what I somehow expected. Is there a way how to filter
> out just the packets I want? Like: filter out all frames containing
> LIR message but display only LIR messages?

No.  Wireshark/TShark always displays the entire contents of the frame (and the contents of any packets whose 
reassembly is finished by that frame); there is no mechanism to selectively show only some parts of that frame.

> I mean could I somehow
> filter this using capture filters (I think this is not possible, but
> just for sure) or how to use display filters with some more precise
> configuration saying display LIR messages only?

All that display filters do is filter which frames are shown.  They do not filter which parts of the frame are shown 
(there's no notion in Wireshark's dissection engine of a filter applying to parts of a frame).

All that capture filters do is filter which frames are captured.  They do not filter which parts of those frames are 
captured (and it's not clear how they could do so).

Display filters are a lot *less* powerful than some users think; they're not a magical tool that can perform arbitrary 
operations on packets, they're just filters to select which frames to show.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe