On Fri, Jan 10, 2025 at 9:08 AM Cristian Constantin via Wireshark-dev < wireshark-dev@wireshark.org> wrote:
> wireshark GUI supports byte selection by means of indexing an protocol > field in display filters, e.g.: > > "gsm_map.ms.autn[6] == 0x80" > > is it possible to use expressions indexed like shown above for tshark > fields specified with -e option? Yes, beginning in Wireshark-4.4.0: https://www.wireshark.org/docs/relnotes/wireshark-4.4.0.html They can also be used in custom columns, again beginning in 4.4.0. what is the syntax for it? > The syntax is the same, e.g. tshark -T fields -e "gsm_map.ms.autn[6] == 0x80" -r <file> will produce a check mark if the test is true (and blank if not) tshark -T fields -e "gsm_map.ms.autn[6]" -r <file> will give the value of that byte. Cheers, John
_______________________________________________ Wireshark-dev mailing list -- wireshark-dev@wireshark.org To unsubscribe send an email to wireshark-dev-le...@wireshark.org