Wireshark-users: Re: [Wireshark-users] Display filters for application protocols
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 8 Mar 2011 11:15:30 -0800
On Mar 8, 2011, at 11:06 AM, Sake Blok wrote:

> I think you can do it with:
> 
> diameter.cmd.code==302 and not diameter.cmd.code!=302

That will display frames that have an LIR message and no non-LIR messages; it won't display frames that contain both LIR and non-LIR messages, as the first test would succeed but the second test would fail, so it won't display *all* LIR messages.

The problem is what he wants would require that Wireshark/TShark have a sequence of individual DIAMETER messages, not a sequence of individual frames+reassembled information, so that the filter could act on individual DIAMETER messages; *shark currently has no notion of individual items in the packet sequence being higher-level packets rather than link-layer frames, so that's currently not possible.