I am writing my first Wireshark dissector. I am writing it in Lua, using this as an example. My communication protocol embeds a command ID in the response header, followed by well-defined payloads that differ based on the command ID. So far, I've been structuring the ProtoFields such that the Abbreviated name of the field (the string used in filters) follows a naming convention like this
proto_name.command_name.field_name
Some commands have similar fields, like in the following example
myproto.cmd_update.updateId
myproto.cmd_update_ack.updateId
where, per the protocol, an update
command must be acknowledged with a update_ack
command with the same updateId
payload. Ideally, i would like to create a wireshark filter such that I can see all packets pertaining to the updateId
field. I tried creating a filter like
myproto.*.updateId == 0x1234
but that appears to be invalid wireshark filter syntax. I don't want to make the filter explicit like
myproto.cmd_update.updateId == 0x1234 or myproto.cmd_update_ack.updateId == 0x1234
because in my actual protocol there are many more commands with similar/related fields. Is there a filter syntax I can use? Or perhaps, should I structure my dissector's ProtoField abbreviations differently?