Wireshark · Wireshark-users: Re: [Wireshark-users] Display filter on smb2.fid

[Guy Harris <guy@xxxxxxxxxxxx>]

On Dec 12, 2017, at 5:50 PM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:

> On 12/12/2017 03:33 PM, Rodrigo Borges Pereira wrote:
>> Hi,
>> I'd like to match on partial smb2.fid, for example smb2.fid[0] == 00
>> But this seems to be an invalid expression. Is there any trick to it, or just not possible at all?
> 
> That's not possible with that field.  You can do partial matches on fields that are byte arrays, for example:
> 
> eth.addr[0:3]==00:06:5B
> 
> But GUIDs (such as smb2.fid) aren't treated as byte arrays so it doesn't work.

Is there a compelling reason *not* to change the display filter engine to allow field[start:len] for all field types, with the meaning "treat the bytes of the field as a byte array"?