> > But this remains a question: > > It seems FT_STRING can be checked for text under quotes, but not with > > substrings. > > We don't do substring matching in Ethereal display filters, if by that > you mean a filter expression that checks whether a given field > contains a given string. This I didn't mean. It is a new feature already listed in Q 5.27 of FAQ. > > Or do you mean you can't specify a range for an FT_STRING field and > compare it with a text string in quotes (i.e., checking whether a > specific part of a field matches a string)? Yes, e.g. I would like to use sip.Method[0:3]="INV" > > > I find the display filter GUI also a bit confusing, because it displays > > "Value (Character String)" also for ranges, although this can't be used > > afterwards. > > What do you mean by "displays 'Value (Character String)' also for > ranges"? Fields aren't ranges - you can have a range *of* a field. > > Do you mean "it doesn't remove the '(character string)' if you put > something into the 'Range (offset:length)' box"? Yes! According to the current implementation the text entered in the Value box is interpreted as a Byte String, if the user enters a range, and not as "Character String", as the GUI implies.
By the way, is there a filter syntax to specify a number for the occurance of a field value? In SIP it is possible to have multiple headers of the same type included in one message (e.g. the Via header). How can I define a filter to select e.g. the 3rd Via? Is this a feature for the new to be defined filter syntax?
