[EMAIL PROTECTED] wrote: > According to the filter docs, it is possible to "compare fields against > fields"
...although, later in the wireshark-filter(4) man page, at least, it says nothing about that. > but it doesn't seem to be true. For example: > > frame.pkt_len > frame.cap_len That doesn't appear to be syntactically valid, but note that it's a filter that would only match packets if you captured with a non-default snapshot length and captured packets bigger than the snapshot length; I assume that's what you intended. > or (closer to what I really want) > > frame.cap_len > frame.pkt_len+4 That's apparently not syntactically valid, either, but it's a filter that would only match packets if you captured with a badly broken "packet slicing" implementation and that set the "captured length" incorrectly so that it's greater than the actual length. (I.e., if frame.cap_len > frame.pkt_len for any frame, there's something wrong with the software that captured that frame.) Even if it were syntactically valid, it probably wouldn't be very useful. > I've even tried some variations, e.g.: > > (frame.cap_len-frame.pkt_len)>4 > > without success. The man page doesn't speak of arithmetic on fields. > Have also attempted with capture filters, but that didn't work either Those do support arithmetic - but they don't support operators to get the captured length, just the on-the-wire length. They also, obviously, can't filter stuff once you've captured it (at least not in *shark). _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
