I am writing my first Wireshark dissector. I am writing it in Lua, using this as an example. My communication protocol embeds a command ID in the response header, followed by well-defined payloads that differ based on the command ID. So far, I've been structuring the ProtoFields such that the Abbreviated name of the field (the string used in filters) follows a naming convention like this
proto_name.command_name.field_name
Some commands have similar fields, like in the following example
myproto.cmd_update.updateId
myproto.cmd_update_ack.updateId
where, per the protocol, an update command must be acknowledged with a update_ack command with the same updateId payload. Ideally, i would like to create a wireshark filter such that I can see all packets pertaining to the updateId field. I tried creating a filter like
myproto.*.updateId == 0x1234
but that appears to be invalid wireshark filter syntax. I don't want to make the filter explicit like
myproto.cmd_update.updateId == 0x1234 or myproto.cmd_update_ack.updateId == 0x1234
because in my actual protocol there are many more commands with similar/related fields. Is there a filter syntax I can use? Or perhaps, should I structure my dissector's ProtoField abbreviations differently?
There doesn't appear to be a wildcard syntax for the filter line, so I wound up solving this in the dissector itself. In addition to the myproto.*.updateId fields, I also added another field called myproto.updateId (note the lack of the wildcard in the middle). Its value is set to the same thing as the full blown field name, which means that I now have just one field name to search against. I also set this field as hidden = true to hide it from view.
It's a bit of a hack, but gives me what I want.