len - Checks the string length of "string types" (FT_STRING, FT_STRINGZ, FT_UINT_STRING, FT_STRINGZPAD) or array length of "byte types" (FT_BYTES, FT_UINT_BYTES) and does a compare.
Examples:
len(smpp.message_id) > 10
len(smpp.message) > 25
size - Checks the size of the field in a packet. Can be used for strings/bytes like len() above, but can also be used for integer fields that vary in length (1-4 bytes)
Examples:
size(eth.type) == 2 (This is just for demonstration purposes. Obviously the size of the eth.type field could only be 2 but I couldn't quickly think of a "popular" field with varying integer length)
size(tcp.options) > 7
count - Number of times a field is found in a single frame. This can be used to help identify "tunneling" or if multiple PDUs are in a single frame.
Examples:
count(ip.src) > 1
count(smpp.sequence_number) > 1 (Since sequence_number is required for the packet, having more than one shows frames with multiple PDUs.
-----Original Message-----
From: Dario Lombardo <lomato@xxxxxxxxx>
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Sent: Sun, Jan 6, 2019 4:35 am
Subject: [Wireshark-dev] dfilter functions
Hi
I've noticed that the online documentation about dfilter functions just talks about 2 of them, upper and lower:
but there are more that are undocumented AFAICS:
- len
- size
- count
Can someone explain me their purpose and give a working example on some protocol?
Thanks.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <
wireshark-dev@xxxxxxxxxxxxx>
Archives:
https://www.wireshark.org/lists/wireshark-dev
Unsubscribe:
https://www.wireshark.org/mailman/options/wireshark-dev
mailto:
wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
