Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How do display filters work internally?

From: "Maynard, Chris" <Christopher.Maynard () GTECH COM>
Date: Mon, 23 Jan 2012 12:14:11 -0500


-----Original Message-----
From: wireshark-dev-bounces () wireshark org [mailto:wireshark-dev-
bounces () wireshark org] On Behalf Of Joerg Mayer
Sent: Thursday, January 19, 2012 5:41 PM
To: wireshark-dev () wireshark org
Subject: [Wireshark-dev] How do display filters work internally?

Hello List,

I fail to understand how display filters work internally. I'm still
trying to get my generic ip.addr filter working, but I seem to lack
some understanding on how display filters work.

It looks like putting an "alien" protocol filter into the hf array will
work, as ip.version inside packet-ipv6.c shows: The field is shown and
filterable.
Putting the ip.addr field vom packet-ip.c into all uses of ipv4
addresses (everything of type FT_IPv4) will show it, but it won't be
filterable (neither existence nor value).

Can someone please fill in some info how display filtering works?

Thanks
   Joerg
--


I think the problem is that TRY_TO_FAKE_THIS_ITEM() has a return path such that the count for hf_ip_addr doesn't get 
incremented as it should.

Attached is a patch that works for proto_tree_add_ipv4().  I made no attempt to "prettify" the patch; it's just a quick 
hack to get it to work, so cleanup is needed and proto_tree_add_item() still needs attention, as does 
proto_tree_add_ipv4_format_value() and proto_tree_add_ipv4_format().  I did test this with an "ip.addr" filter and it 
matched IP addresses in the IP protocol, but also with some bootp traffic.

- Chris

--

Attachment: ip.addr.proto-v4.patch
Description: ip.addr.proto-v4.patch

CONFIDENTIALITY NOTICE: The information contained in this email message is intended only for use of the intended 
recipient. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, 
distribution or copying of this communication is strictly prohibited. If you have received this communication in error, 
please immediately delete it from your system and notify the sender by replying to this email.  Thank you.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: