"Lukás Oliva" <olivalukas@xxxxxxxxx> wrote in
message news:AANLkTinczCeZZCCy5f_5WE8jVs6WNf63bObvxOc5mc2c@xxxxxxxxxxxxxx...
> Hello to the community,
> I am doing some testing for the Diameter protocol and I noticed
> interesting behaviour of the display filters. I noticed that if I run
>
> tshark -r mypcap.pcap -R "diameter.cmd.code==302"
>
> then the output contains afterwards also Diameter packets with
> different diameter.cmd.code. I am not sure if it is actually a bug and
> how tshark handles this filtering for application protocols.
> E.g.: If there is a packet on containing more Diameter (or other
> application protocol) messages on IP (or possibly TCP) level, how is
> this will the display filter filter all of them?
>
> Just for the illustration:
>
> 1 TCP packet: Diameter message 1 (LIR), Diameter message 2 (MAR),
> Diameter message 3 (SAR)
>
> Running tshark -r mypcap.pcap -R "diameter.cmd.code==302" ... # so
> filtering out the LIR messages which have message code 302
>
> Should the tshark produce a list of LIR messages only?
You write, you have one TCP packet with several diameter messages. A display
filter defines which _packets_ should be displayed. But the display filter
does not define which details of one packet is displayed.
--
Andy