Wireshark mailing list archives

Re: [Wireshark-users] Σχετ: wireshark display filters: display range of termination ids in one command

From: Manolis Katsidoniotis <manoska () gmail com>
Date: Fri, 14 Oct 2011 18:53:58 +0300

Hello George and Emanuel

It worked !!!!!
I have 760 ports.

From port_1 to port_760.


With the below filter,,
I can now see them in groups of 40 :))))))
with the SIP traffic that is generated on the other side.

( ip.addr==10.85.227.168 &&  ( (megaco.termid[5:] gt "0") &&
(megaco.termid[5:] lt "41") ) ) || (sip contains 46710020000)


Many thanks George and Emanuel !!!!!!!!!!!!
This is really very big help !!!!!!!!!!!!!!!!
Manolis



2011/10/13 Emanuel Fleishman <Emanuel.Fleishman () celtro com>

 Just following on the George's proposal,

could you please try the following expression WRT to *megaco.termid*range:



        megaco.termid[5:] gt "0"  &&  megaco.termid[5:] lt "41"



according to http://www.wireshark.org/docs/man-pages/wireshark-filter.html


notation* *

     [i:]     start_offset = i, end_offset = end_of_field



e.g *megaco.termid**[5:]* is expected to select substrings starting from
the 6th character in "port_XYZ"









If this doesn't work, could you please try more verbose approach:



     megaco.termid[6] == 0           // indicates string of length 6 such
as "port_X"

*or*

     megaco.termid[7] == 0           // indicates string of length 6 such
as "port_XY"

     *and *one of the following

        megaco.termid[5] == "1"        // selects strings with pattern
"xxxxx1x" in particular "port_1x"

        megaco.termid[5] == "2"

        megaco.termid[5] == "3"

        megaco.termid[5] == "4"



BR/Emanuel



------------------------------

 *From:* wireshark-users-bounces () wireshark org [
wireshark-users-bounces () wireshark org] on behalf of George [hgsal () yahoo gr
]
*Sent:* Thursday, October 13, 2011 2:32 PM
*To:* Community support list for Wireshark
*Subject:* [Wireshark-users] Σχετ: wireshark display filters: display
range of termination ids in one command

  Hi Manoli,

 Just a hind from my side, if you want to try with this.
 In http://wiki.wireshark.org/CaptureFilters i have find the following
filter :

(tcp[0:2] > 1500 and tcp[0:2] < 1550)

i have tried this but is not clear to me which values are acceptable after tcp[0:2] >.
as 0:2 are the bytes for source and dest ports, in my try source was 2&3 and dest 3&4.

Regards,
George


  ------------------------------
*Απο:* Manolis Katsidoniotis <manoska () gmail com>
*Προς:* Community support list for Wireshark <
wireshark-users () wireshark org>
*Στάλθηκε:* 1:48 μ.μ. Πέμπτη, 13 Οκτωβρίου 2011
*Θεμα:* Re: [Wireshark-users] wireshark display filters: display range of
termination ids in one command

thanks Martin

yes that's true
I put this more like an example of what I want to do
(of course I tried it since you never know how smart is a filter)

I saw some expressions of type
h248.termList

but am not aware of exactly how to use them.

Anyone who has even used them before?

thanks
Manolis


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe



This mail was received via Mail-SeCure System.


This mail was sent via Mail-SeCure System.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

wireshark display filters: display range of termination ids in one command Manolis Katsidoniotis (Oct 13)
- Re: wireshark display filters: display range of termination ids in one command Martin Mathieson (Oct 13)
  - Re: wireshark display filters: display range of termination ids in one command Martin Mathieson (Oct 13)
    - Re: wireshark display filters: display range of termination ids in one command Manolis Katsidoniotis (Oct 13)
    - Σχετ: wireshark display filters: display range of termination ids in one command George (Oct 13)
    - Re: [Wireshark-users] Σχετ: wireshark display filters: display range of termination ids in one command Emanuel Fleishman (Oct 13)
    - Re: [Wireshark-users] Σχετ: wireshark display filters: display range of termination ids in one command Manolis Katsidoniotis (Oct 14)
- Re: wireshark display filters: display range of termination ids in one command j.snelders (Oct 13)
  - Re: wireshark display filters: display range of termination ids in one command Manolis Katsidoniotis (Oct 14)
    - Re: wireshark display filters: display range of termination ids in one command Guy Harris (Oct 14)
    - Re: wireshark display filters: display range of termination ids in one command Manolis Katsidoniotis (Oct 14)