Wireshark-dev: Re: [Wireshark-dev] What ftypes are "compatible" enough for duplicate fields?
From: Hadriel Kaplan <hadriel.kaplan@xxxxxxxxxx>
Date: Fri, 21 Feb 2014 19:08:18 -0500
On Feb 21, 2014, at 6:36 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

> On Feb 21, 2014, at 12:08 PM, Hadriel Kaplan <hadriel.kaplan@xxxxxxxxxx> wrote:
> 
>> Also, FT_IPv4 and FT_IPv6 are frequently in duplicate fields.  Should they be/not-be?  Display filter input/verification might have issues with it, but it seems logical to have generic "foo.src"/"foo.dst"/etc. fields of both types.
> 
> The one place where we're doing that with ".src" and ".dst" is in the PGM dissector; in, for example, a Source Path Message, there's a field specifying the Address Family Indicator (AFI) for the source address and another specifying the address, which could be IPv4, IPv6, or, in theory, a number of other types.

And it's also done in: h245.network, h248.address, mih.mihf_id, openflow_v4.oxm.value, openflow_v5.oxm.value, pflog.saddr, rsip.parameter.address, rsvp.notify_request.notify_node_address_ipv4, sap.originating_source, sflow_245.nexthop, and a bunch in pim.

I don't know if it actually works properly as display filters, however, in a capture/file of mixed address families.

-hadriel