Bug ID: 14430
           Summary: Wireshark should not offer invalid completions for
                    capture filters
           Product: Wireshark
           Version: Git
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: Major
          Priority: Low
         Component: Qt UI
  Target Milestone: ---

Build Information:
Version 2.5.1 (v2.5.1rc0-104-gd332507e)

Copyright 1998-2018 Gerald Combs <> and contributors.
License GPLv2+: GNU GPL version 2 or later
<> This is free software;
see the source for copying conditions. There is NO warranty; not even for

Compiled (64-bit) with Qt 5.5.0, with libpcap, without POSIX capabilities, with
GLib 2.36.0, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.4.17, with Gcrypt 1.7.7, with MIT Kerberos, with GeoIP,
with nghttp2 1.21.0, with LZ4, with Snappy, with libxml2 2.9.4, with
QtMultimedia, with SBC, with SpanDSP, with bcg729.

Running on Mac OS X 10.12.6, build 16G1036 (Darwin 16.7.0), with Intel(R)
Core(TM) i7-4980HQ CPU @ 2.80GHz (with SSE4.2), with 16384 MB of physical
memory, with locale en_US.UTF-8, with libpcap version 1.8.1 -- Apple version
67.60.2, with GnuTLS 3.4.17, with Gcrypt 1.7.7, with zlib 1.2.8, binary plugins
supported (13 loaded). Built using clang 4.2.1 Compatible Apple LLVM 9.0.0
If, for example, you type "ip a" into the capture filter entry box in the main
screen, it offers "address1", "address2", "address3", and "address4" as

"ip address1 {anything}" is not a valid capture filter; "address1" is valid
only as an 802.11 MAC address.

Furthermore, unless you have a libpcap with the change that I just now checked
into the master branch, it may *crash* with "ip address1 {IP address or valid
host name}".

Note also that the official documented qualifiers for the four MAC addresses in
802.11 headers are "addr1", "addr2", "addr3", and "addr4"; to quote the
pcap-filter man page:

       wlan addr1 ehost
              True if the first IEEE 802.11 address is ehost.

       wlan addr2 ehost
              True if the second IEEE 802.11 address, if  present,  is  ehost.
              The  second  address  field is used in all frames except for CTS
              (Clear To Send) and ACK (Acknowledgment) control frames.

       wlan addr3 ehost
              True if the third IEEE 802.11 address,  if  present,  is  ehost.
              The  third  address field is used in management and data frames,
              but not in control frames.

       wlan addr4 ehost
              True if the fourth IEEE 802.11 address, if  present,  is  ehost.
              The  fourth address field is only used for WDS (Wireless Distri-
              bution System) frames.

You are receiving this mail because:
You are watching all bug changes.
Sent via:    Wireshark-bugs mailing list <>

Reply via email to