Revision history [back]
I'm not sure if this will work for the way your protocol adds the multiple messages to the tree, but if it does, the layer operator might come in handy. Of course that will only work if you have a limited amount of messages per packet. You could try the following:
(body.name[1]==alex and body.family[1]==human) or (body.name[2]==alex and body.family[2]==human) or (body.name[3]==alex and body.family[3]==human) or (body.name[4]==alex and body.family[4]==human)
You might want to make a display filter macro for it like
- macro name: NameFamily
- macro expression: (body.name[1]==$1 and body.family[1]==$2) or (body.name[2]==$1 and body.family[2]==$2) or (body.name[3]==$1 and body.family[3]==$2) or (body.name[4]==$1 and body.family[4]==$2)
So you can then use the display filter ${NameFamily:alex;human}
I'm not sure if this will work for the way your protocol adds the multiple messages to the tree, but if it does, the layer operator might come in handy. Of course that will only work if you have a limited amount of messages per packet. You could try the following:
(body.name[1]==alex and body.family[1]==human) or (body.name[2]==alex and body.family[2]==human) or (body.name[3]==alex and body.family[3]==human) or (body.name[4]==alex and body.family[4]==human)
You might want to make a display filter macro macor for it like
- macro name: NameFamily
- macro expression: (body.name[1]==$1 and body.family[1]==$2) or (body.name[2]==$1 and body.family[2]==$2) or (body.name[3]==$1 and body.family[3]==$2) or (body.name[4]==$1 and body.family[4]==$2)
So you can then use the display filter ${NameFamily:alex;human}