Wireshark mailing list archives
Re: How does wireshark filter packets
From: Guy Harris <guy () alum mit edu>
Date: Tue, 29 Jan 2013 15:35:45 -0800
On Jan 29, 2013, at 2:10 PM, Guy Harris <guy () alum mit edu> wrote:
On Jan 29, 2013, at 1:39 PM, Wenfei Wu <wenfeiwu () cs wisc edu> wrote:I want to know how wireshark use the filter expression to filter packets. Does it parse the packet first, and then use the filter expression to check? If so, is there some intermediate data structure to store the filter expression? What is the algorithm? Is there some materials about this?See my reply on the tcpdump-workers mailing list.
Although that applies only to Wireshark *capture* filters. For *display* filters, yes, Wireshark and TShark parse the packet first, turning it into a tree of named fields and unnamed "text" items. The filter expression is compiled into a pseudo-machine code. It is *not* the same as the BPF pseudo-machine code; it's much higher-level, in that it knows about named packet fields, not just the raw array of packet bytes that the BPF pseudo-machine uses. See the code in the epan/dfilter directory - in particular, see dfvm.h and dfvm.c for the core of the pseudo-machine interpreter. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- How does wireshark filter packets Wenfei Wu (Jan 29)
- Re: How does wireshark filter packets Guy Harris (Jan 29)
- Re: How does wireshark filter packets Guy Harris (Jan 29)
- Re: How does wireshark filter packets Jeff Morriss (Jan 29)
- Re: How does wireshark filter packets Guy Harris (Jan 29)
- Re: How does wireshark filter packets Guy Harris (Jan 29)