Hi, I struggle to filter the packets by Source ID... I want to display all the packets which the source id (type Unsigned integer) start with the same four first value. I try contains, matches, slice operator... it doesn't work. Do you have an idea how to do that ?
(Sample capture zgp_control_log.pcapng is from issue 9424: Implement ZigBee Green Power dissector)
The error messages will be appear in the lower left of the gui on the status line.
It's easier to capture the text getting the output from tshark.
$ tshark -v
TShark (Wireshark) 4.2.3 (v4.2.3-0-ga15d7331476c).
$ tshark.exe -r ./zgp_control_log.pcapng -T fields -e zbee_nwk_gp.source_id | sort | uniq -c
14
58 0x78417788
46 0xab361a07
3 0xffffffff
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches 7841"
tshark: Matches requires a double quoted string on the right side.
zbee_nwk_gp.source_id matches 7841
^~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id matches \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in matches comparison.
zbee_nwk_gp.source_id matches "7841"
^~~~~~~~~~~~~~~~~~~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id contains \"7841\""
tshark: zbee_nwk_gp.source_id (type=Unsigned integer (32 bits)) cannot participate in contains comparison.
zbee_nwk_gp.source_id contains "7841"
^~~~~~~~~~~~~~~~~~~~~
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id[0:2] == 78:41"
tshark: "zbee_nwk_gp.source_id" is a Unsigned integer (32 bits) and cannot be sliced into a sequence of bytes.
zbee_nwk_gp.source_id[0:2] == 78:41
^~~~~~~~~~~~~~~~~~~~~
Field is Uint32 - Display Filter Reference: ZigBee Green Power Profile
Field name Description Type Versions zbee_nwk_gp.source_id Src ID Unsigned integer (32 bits) 1.12.0 to 4.2.
Two ways (there could be more) to search for specific bytes in the field:
1. WSUG - 6.4.8. Arithmetic operators
Bitwise AND A & B A bitand B Bitwise AND of A and B
$ tshark.exe -r ./zgp_control_log.pcapng -Y "zbee_nwk_gp.source_id & 0xffff0000 == 0x78410000" | wc
58 652 5560
2. Access the raw bytes in the Uint32. Wireshark 4.2.0 Release Notes
It is now possible to filter on raw packet data for any field by using the syntax
@some.field == <bytes…>.
$ tshark.exe -r ./zgp_control_log.pcapng -Y "@zbee_nwk_gp.source_id[2:2] == 41:78" | wc
58 652 5560
Due to the "endianness" of the raw bytes in packet data, the raw bytes filter works from the end and in reverse.
Field as displayed in the Packet Details:
Src ID: Unknown (0x78417788)
Field as seen in the Packet Bytes:
0000 88 77 41 78
Comments
Display Filter Reference: ZigBee Green Power Profile
It's the
zbee_nwk_gp.source_idfield you want to match on?Can you provide an example of "same fourth first value".
Thanks for your answer, yes it's this field. for exemple i want all the packets which IDs start with 0xab12 I have found the solution, i use frame[] to find specific bytes corresponding to the four first number of the ID
Thanks for the example. I'll write up an answer with sample capture file for future reference.