Hi ! I want to colorize (or filter) Diameter packets, specified on AVP Parameter list where VendorID is not Nokia or 3GPP. I made filter: diameter.avp.vendorId != 94 && diameter.avp.vendorId != 10415 However, Wireshark still displaying packets where any (or both) AVP's are there with those Vendor Id's, no matter there is no other VendorId's defined in other AVP's. What am I doing wrong ? asked 21 Feb '17, 12:38 ahmediukas |
One Answer:
Try: diameter.avp.vendorId&&!diameter.avp.vendorId==94&&!diameter.avp.vendorId==10415 The problem with your filter is that it reads as "Match if there is a Vendor ID other than 10415, as well as a Vendor ID other than 94". Since 94 is "not 10415" the first condition matches, and since 10415 is "not 94", the second condition matches. Thus, any Diameter message with both ID's will match the rule, even though the rule is negative matches against them both as values. It's a common error when writing display filters, which is why most/all Wireshark versions will put that kind of filter in a cautionary yellow background (saying that it is correct syntax, but probably not what you're trying to do). On the other hand the above example says "match if it contains a vendor id, and it does not contain vendor 94, and it does not contain vendor 10415". That sounds like what you're trying to do. answered 21 Feb '17, 18:24 Quadratic edited 21 Feb '17, 18:34 Not to open new topic, with same parameters, as AVP's are the list, how would you filter then: Diameter must have "ONLY ONE" AVP in the list with id 94 ? (22 Feb '17, 15:17) ahmediukas 1
That's not supported by the filter expression mechanism. (22 Feb '17, 15:20) Guy Harris ♦♦ |
So that filter is matching packets that have only Nokia or 3GPP AVPs, with no AVPs from any other vendor?