On Fri, Jan 10, 2025 at 9:08 AM Cristian Constantin via Wireshark-dev <
wireshark-dev@wireshark.org> wrote:

> wireshark GUI supports byte selection by means of indexing an protocol
> field in display filters, e.g.:
>
> "gsm_map.ms.autn[6] == 0x80"
>
> is it possible to use expressions indexed like shown above for tshark
> fields specified with -e option?


Yes, beginning in Wireshark-4.4.0:
https://www.wireshark.org/docs/relnotes/wireshark-4.4.0.html

They can also be used in custom columns, again beginning in 4.4.0.

what is the syntax for it?
>

The syntax is the same, e.g.

tshark -T fields -e "gsm_map.ms.autn[6] == 0x80" -r <file>

will produce a check mark if the test is true (and blank if not)

tshark -T fields -e "gsm_map.ms.autn[6]" -r <file>

will give the value of that byte.

Cheers,
John
_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@wireshark.org
To unsubscribe send an email to wireshark-dev-le...@wireshark.org

Reply via email to