Andrew.Hadenfeldt@xxxxxxxxxx wrote:
According to the filter docs, it is possible to "compare fields against fields"
...although, later in the wireshark-filter(4) man page, at least, it
says nothing about that.
but it doesn't seem to be true. For example:
frame.pkt_len > frame.cap_len
That doesn't appear to be syntactically valid, but note that it's a
filter that would only match packets if you captured with a non-default
snapshot length and captured packets bigger than the snapshot length; I
assume that's what you intended.
or (closer to what I really want)
frame.cap_len > frame.pkt_len+4
That's apparently not syntactically valid, either, but it's a filter
that would only match packets if you captured with a badly broken
"packet slicing" implementation and that set the "captured length"
incorrectly so that it's greater than the actual length. (I.e., if
frame.cap_len > frame.pkt_len for any frame, there's something wrong
with the software that captured that frame.) Even if it were
syntactically valid, it probably wouldn't be very useful.
I've even tried some variations, e.g.:
(frame.cap_len-frame.pkt_len)>4
without success.
The man page doesn't speak of arithmetic on fields.
Have also attempted with capture filters, but that didn't work either
Those do support arithmetic - but they don't support operators to get
the captured length, just the on-the-wire length.
They also, obviously, can't filter stuff once you've captured it (at
least not in *shark).