tshark has the "-E occurrence=f|l|a" option to print the *f*irst, *l*ast or *a*ll occurence of the field in a packet but that is only filtering the output when using -T fields, not matching packets.
On Fri, 14 Aug 2020 at 07:14, Jaap Keuter <jaap.keu...@xs4all.nl> wrote: > Hi Richard, > > The display filter engine has no concept of individual instances of a > field, either it’s there in a packet or not and its value is used in the > expression. Where it is in the packet and in what relation to other fields > in a display filter expression is of no concern of the display filter > engine. It is a question that comes up once in a while, so its not unheard > of, but no one has dared to venture into redoing the whole display filter > engine design to make this possible. It would at least require an overhaul > of the syntax, and I’m not even sure it is possible with the current > dissection engine design. > > Thanks, > Jaap > > > On 13 Aug 2020, at 22:12, Richard Sharpe <realrichardsha...@gmail.com> > wrote: > > > > Hi folks, > > > > I faced an interesting problem recently. > > > > I was typing to find a particular tagged item with a tag length > > greater than a specific size. > > > > This presented a problem because many Wi-Fi packets have tagged fields > > and a search filter like wlan.tag.number == X and wlan.tag.length >= > > some-value is prone to false positives if any tagged field in the > > frame has that number and any other tagged field in the frame has a > > length ge the value. > > > > How can I limit the length comparison to the tag found in the first > comparison? > > > > Do we even have that concept? > > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe -- Graham Bloice Software Developer Trihedral UK Limited
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
