Re: Is "tcp.len < -1" a valid display filter?

[Stephen Fisher <steve () stephen-fisher com>]

On Fri, Oct 28, 2011 at 09:00:59AM +0200, Stig Bjørlykke wrote:
> On Thu, Oct 27, 2011 at 9:12 PM, Stephen Fisher
> <steve () stephen-fisher com> wrote:
> > Is there a problem with accepting -1 in that filter?
>
> It's not a problem, but it's a bug in the logic because the filter 
> does not do what it's supposed to.

I understand now: instead of the filter showing tcp.len that is less 
than -1 (so -2 and so on), it's showing less than the underflow value of 
MAXINT.

> > If so, should the filter be checked against possible values of the 
> > value, i.e. tcp.len is a FT_UINT32 so only accept unsigned 32-bit 
> > values and mark the background as red / bad filter if not?
>
> The previously attached patch does check for signed/unsigned issues, 
> and will mark the filter as bad/red. I think it would be nice to check 
> all values if they are valid for the given field.

Good idea.  I wonder how much work that would be... never thought of 
that.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe