Re: Display filter on smb2.fid

[Jeff Morriss <jeff.morriss.ws () gmail com>]

On Tue, Dec 12, 2017 at 9:28 PM, Guy Harris <guy () alum mit edu> wrote:

> On Dec 12, 2017, at 5:50 PM, Jeff Morriss <jeff.morriss.ws () gmail com>
> wrote:
>
> > On 12/12/2017 03:33 PM, Rodrigo Borges Pereira wrote:
> > > Hi,
> > > I'd like to match on partial smb2.fid, for example smb2.fid[0] == 00
> > > But this seems to be an invalid expression. Is there any trick to it,
> or just not possible at all?
> > That's not possible with that field.  You can do partial matches on
> fields that are byte arrays, for example:
> > eth.addr[0:3]==00:06:5B
> >
> > But GUIDs (such as smb2.fid) aren't treated as byte arrays so it doesn't
> work.
>
> Is there a compelling reason *not* to change the display filter engine to
> allow field[start:len] for all field types, with the meaning "treat the
> bytes of the field as a byte array"?

For GUIDs I really don't see a reason not to.

Things like FT_*INTs might require a bit more thought to ensure endianism
doesn't cause trouble - presumably the bytes would be presented (and
tested) in packet-byte-order (not the host-byte-order that I think we store
them in).

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe