Re: Display filters for application protocols

[Guy Harris <guy () alum mit edu>]

On Mar 8, 2011, at 11:06 AM, Sake Blok wrote:

> I think you can do it with:
>
> diameter.cmd.code==302 and not diameter.cmd.code!=302

That will display frames that have an LIR message and no non-LIR messages; it won't display frames that contain both 
LIR and non-LIR messages, as the first test would succeed but the second test would fail, so it won't display *all* LIR 
messages.

The problem is what he wants would require that Wireshark/TShark have a sequence of individual DIAMETER messages, not a 
sequence of individual frames+reassembled information, so that the filter could act on individual DIAMETER messages; 
*shark currently has no notion of individual items in the packet sequence being higher-level packets rather than 
link-layer frames, so that's currently not possible.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe