If you are looking for two double bytes from the beginning
then you would use [0:2], but you are looking for three
double bytes then you would use [0:3]. Also [0:2] will
work for 00:02 and [1:2] will do for 02:fc.
Pete
On Fri, Apr 3, 2009 at 5:30 AM, noah davids
<ndav1@xxxxxxx> wrote:
Thank you everyone for your answers.
The eth.addr contains 00:02:fc filter worked fine
- BUT the
"eth.addr[0:2]==00:02:fc" failed to find any frames, even
though the
first 3 bytes were 00:02:fc. The filter "eth.addr[0-2]==00:02:fc"
did
find the same frames as the "contains" filter. The "[0:2]" would
appear
to be a valid filter (the bar was green) but what is it
doing?
I also discovered the following strangeness. The
filter
"eth.addr[2]==fc" turns red, it appears that "fc" is not valid
by
itself. I can enclose fc in quotes eth.addr[2]=="fc" and the
filter
turns green but it doesn't find any frames. The filter
eth.addr[2]
matches "fc" also fails to find any frames. The problem appears
to be
the "fc" value since using the same syntax with other bytes and
values
and not using quotes works - so how do I match on
"fc".
Noah Davids
=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Serendipity
is a function of bandwidth
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
