Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Display filter alternative

From: Guy Harris <guy () alum mit edu>
Date: Thu, 5 Jul 2012 13:53:49 -0700

On Jul 5, 2012, at 2:38 AM, Lloyd wrote:


I am studying about packet filtering methods. Then I came across
NetBee library (combination of NetPDL+NetPFL+NetVM), by the developer
of Winpcap. I have not tried the libary yet, but the authors claim
that it is a very flexible, efficient and an extendable system (O.
Morandi, F. Risso, M. Baldi, A. Baldini, “Enabling Flexible Packet
Filtering Through Dynamic Code Generation”). I am interested in
comparing Wireshark's display filter against the Netbee system for
efficiency and extendability.

The have compared their system against BPF but not with wireshark's
display filter.


Wireshark's display filter is different from both BPF and NetBee.  BPF and NetBee both involve code that extracts 
fields from packets and does tests on them; Wireshark's display filter works on an already-parsed packet, so the 
extracting of fields from packets has already been done by the time the display filter works on it.

I.e., the Wireshark display filter is *NOT* a standalone mechanism; it relies on Wireshark dissectors existing and 
having been run on the packet.

(BTW, they should perhaps have tried doing their development on a platform that implements ntohs() and ntohl() as 
inlines; I think glibc+GCC does that, and it appears that MSVC++ in Visual Studio 2005 and later would allow that as 
well:

        http://msdn.microsoft.com/en-us/library/a3140177(v=vs.80).aspx

although whether Winsock or whatever provides ntohs() and ntohl() does so is another matter.  The ability to do 
byte-swapping of host-byte-order quantities inline is *not* an inherent advantage of other languages over C for 
generating packet-filtering code....)


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: