[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-users
Subject: Re: [Wireshark-users] Display filters by slice operator using byte offset
From: M Holt <m.iostreams () gmail ! com>
Date: 2012-11-22 14:23:27
Message-ID: D2BF7399-BAC9-406F-AFFE-0D588CA25F0C () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
That makes perfect sense - thanks Jim
--
Sent via carrier pigeon
On Nov 21, 2012, at 22:24, Jim Aragon <Jim@agdatasystems.com> wrote:
> At 08:52 PM 11/21/2012, M Holt <m.iostreams@gmail.com> wrote:
>
> > A given capture contains an IPv4 conversation, with an address of
> > 192.168.0.125. Using the standard ip.addr, ip.src and ip.dst, I can
> > manipulate the displayed packets as expected.
> > When attempting to display the same data using the slice operator, I can
> > display all packets with a source IP address of 192.168.0.125:
> >
> > ip[12:4]==c0.a8.00.7d
> >
> > However, since the source IP field uses the entire 4 bytes, I would
> > expect that the following filter would provide the same results:
> >
> > ip[12:]==c0.a8.00.7d
> >
> > Because [i:] *should* indicate "from this byte offset to the end of the
> > field". However, this filter does not display any data.
>
> When using the slice operator, the term "field" refers to the portion of the packet \
> that you've named in the protocol portion of your filter. So, "ip[12:]" means \
> "start at an offset of 12 bytes from the beginning of the IP portion of the packet, \
> and continue to the end of the IP portion of the packet." "Field" in this case \
> refers to the entire IP portion of the packet, not the ip.src field.
> > I switched the filter from "==" to "contains", and this does provide
> > data, but now I see something similar to using ip.addr == 192.168.0.125.
> >
> > ip[12:] contains c0.a8.00.7d
>
> And this makes sense, once you recognize that the "field" is the entire IP portion \
> of the packet.
> For what you are trying to accomplish, filtering on the source address, your first \
> attempt ("ip[12:4]") was correct.
> > Am I misunderstanding the usage of the operator?
>
> > [i:] start_offset = i, end_offset = end_of_field
>
> No, you're not. You understand the operator correctly, you just didn't understand \
> what "field" means in the context of the slice operator.
> Jim
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
[Attachment #5 (text/html)]
<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body dir="auto"><div>That makes perfect sense - thanks \
Jim<br><br><div>--</div>Sent via carrier pigeon</div><div><br>On Nov 21, 2012, at \
22:24, Jim Aragon <<a \
href="mailto:Jim@agdatasystems.com">Jim@agdatasystems.com</a>> \
wrote:<br><br></div><blockquote type="cite"><div>
<font size="3">At 08:52 PM 11/21/2012, M Holt <<a \
href="mailto:m.iostreams@gmail.com">m.iostreams@gmail.com</a>> wrote:<br><br>
>A given capture contains an IPv4 conversation, with an address of
<br>
>192.168.0.125. Using the standard ip.addr, ip.src and ip.dst, I
can <br>
>manipulate the displayed packets as expected.<br>
>When attempting to display the same data using the slice operator, I
can <br>
>display all packets with a source IP address of 192.168.0.125:<br>
><br>
> ip[12:4]==c0.a8.00.7d<br>
><br>
>However, since the source IP field uses the entire 4 bytes, I would
<br>
>expect that the following filter would provide the same results:<br>
><br>
> ip[12:]==c0.a8.00.7d<br>
><br>
>Because [i:] *should* indicate "from this byte offset to the end
of the <br>
>field". However, this filter does not display any
data.<br><br>
When using the slice operator, the term "field" refers to the
portion of the packet that you've named in the protocol portion of your
filter. So, "ip[12:]" means "start at an offset of 12
bytes from the beginning of the IP portion of the packet, and continue to
the end of the IP portion of the packet." "Field" in this
case refers to the entire IP portion of the packet, not the ip.src
field.<br><br>
>I switched the filter from "==" to "contains",
and this does provide <br>
>data, but now I see something similar to using ip.addr ==
192.168.0.125.<br>
><br>
> ip[12:] contains c0.a8.00.7d<br><br>
And this makes sense, once you recognize that the "field" is
the entire IP portion of the packet.<br><br>
For what you are trying to accomplish, filtering on the source address,
your first attempt ("ip[12:4]") was correct.<br><br>
>Am I misunderstanding the usage of the operator?<br><br>
> [i:] start_offset =
i, end_offset = end_of_field<br><br>
No, you're not. You understand the operator correctly, you just didn't
understand what "field" means in the context of the slice
operator.<br><br>
Jim<br>
</font>
</div></blockquote><blockquote \
type="cite"><div><span>___________________________________________________________________________</span><br><span>Sent \
via: Wireshark-users mailing list <<a \
href="mailto:wireshark-users@wireshark.org">wireshark-users@wireshark.org</a>></span><br><span>Archives: \
<a \
href="http://www.wireshark.org/lists/wireshark-users">http://www.wireshark.org/lists/wireshark-users</a></span><br><span>Unsubscribe: \
<a href="https://wireshark.org/mailman/options/wireshark-users">https://wireshark.org/mailman/options/wireshark-users</a></span><br><span> \
<a \
href="mailto:wireshark-users-request@wireshark.org?subject=unsubscribe">mailto:wiresha \
rk-users-request@wireshark.org?subject=unsubscribe</a></span></div></blockquote></body></html>
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic