Wireshark mailing list archives
Display filters by slice operator using byte offset
From: M Holt <m.iostreams () gmail com>
Date: Wed, 21 Nov 2012 20:52:03 -0800
Testing display filters using byte offset instead of standard filters, I am getting unexpected behavior as noted below:
A given capture contains an IPv4 conversation, with an address of 192.168.0.125. Using the standard ip.addr, ip.src and ip.dst, I can manipulate the displayed packets as expected. When attempting to display the same data using the slice operator, I can display all packets with a source IP address of 192.168.0.125:
ip[12:4]==c0.a8.00.7dThis makes sense, because I am selecting the 12th byte offset ( source address ), followed by the hex representation of 192.168.0.125. However, since the source IP field uses the entire 4 bytes, I would expect that the following filter would provide the same results:
ip[12:]==c0.a8.00.7dBecause [i:] *should* indicate "from this byte offset to the end of the field". However, this filter does not display any data. I switched the filter from "==" to "contains", and this does provide data, but now I see something similar to using ip.addr == 192.168.0.125.
ip[12:] contains c0.a8.00.7dIn other words, I am seeing all packets that contain this IP address, whether source OR destination.
Documentation on this particular area is fairly sparse, with most examples just being repeats of the same couple of paragraphs of the Wireshark documentation:
http://www.wireshark.org/docs/man-pages/wireshark-filter.html#the_slice_operator Am I misunderstanding the usage of the operator? [i:j] i = start_offset, j = length [i-j] i = start_offset, j = end_offset, inclusive. [i] i = start_offset, length = 1 [:j] start_offset = 0, length = j [i:] start_offset = i, end_offset = end_of_field Best regards, Mike ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Display filters by slice operator using byte offset M Holt (Nov 21)
- Re: Display filters by slice operator using byte offset Jim Aragon (Nov 21)
- Re: Display filters by slice operator using byte offset M Holt (Nov 22)
- Re: Display filters by slice operator using byte offset Jim Aragon (Nov 21)