Ethereal-users: Re: [Ethereal-users] Found it yet again.
Ronald Prague
>My original question was how to make a display filter searching for
>something inside a fix packet, the syntax is:
>
>fix.ClOrdID == "92108241"
>
There is actually some nice ways to get display filters without having to rely on the protocol field listings such as:
http://www.ethereal.com/docs/user-guide/sidfinancialinformationexchangeprotocol.html (for Ethereal 0.9.7, so it's
not so relevant anymore for several protocols!!!!) or the more up-to-date that Biot Oliver has prepared for Ethereal 0.9.12
http://home.tiscali.be/olivier.biot/ethereal/ .
Maybe you used one of the methods below when you prepared the filter, or at least know about one or both of them.
I use both of them quite often, but I know that not all Ethereal users know about both these possibilities.
If you select the line "ClOrdID (37): 91208241" in the Ethereal window and use the "Display/Prepare" menu item
I think you will get the right filter (fix.ClOrdID == "92108241") in the bottom of the Ethereal window.
You can then edit the filter if you want (change the value, or add some more conditions to the filter) and then press "Apply"
to start the search.
There is also a menu item "Display/Match" that starts the search immediately, but I prefer the "Display/Prepare" menu item
since I can see how the filter looks before doing the search.
This method is not always resulting in good filters since it depends on how the dissector is adding the data to the protocol tree.
Sometimes you get filters like "frame[55:2] == a4:4d" and that filter will probably not do what you want it to do, if the data
you want to search for isn't always in a fixed position of the packet.
Another disadvantage with this method is that you have to have a FIX packet with a CIOrdID element (but maybe not with exactly the same value) in order to do the Display/Prepare stuff, so it is not always useful. But it's very handy when you look on a packet and want to search for similar packet, e.g. if you want to serach for an IP packet with a certain source address or similar, and you forgot the syntax for that.
Another good way of preparing Display filters is the "Add Expression..." button in the "Display Filter" dialog
box. Browse to "FIX" and then select the "CIOrdID" entry etc.
http://www.ethereal.com/docs/user-guide/ch03dispfilt.html