ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 2581] Filter Autocompletion

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sat, 5 Jul 2008 03:04:58 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2581





--- Comment #8 from Bahaa Naamneh <b.naamneh@xxxxxxxxx>  2008-07-05 03:04:56 PDT ---
(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #4)
> > 

Hi Martin,

Please take a loot at my new patch.

> 
> Yes, what I noticed was that when I typed in sip.auth.  I was offered all of
> the filters I'd hope for, but also one from the protocol before and (I think)
> some from after (but I couldn't swear to the after part and have reverted the
> old patch for now).
> 

Regarding this problem, I believe the source of the problem resides in the way
fields are associated with protocols. I did the following with my code:

1) When the user press the first period, I take the prefix which is the
protocol name and pass it to proto_get_id_by_filter_name().
2) I loop through the fields of the protocol using
proto_get_first_protocol_field() and proto_get_next_protocol_field() using the
protocol id returned from step 1.

When you typed 'sip.' my code returned 'raw_sip.line', 'sip.msg_hdr',
'sip.Method', and so on. 
Yes you are right 'raw_sip.line' should not exist in the suggestions, but in
spite of that, it existed in the list because there were two protocols one
called 'sip' and the other 'raw_sip' and each FIELD is represented by
'header_field_info' structure which has a field called 'parent', which is the
id of the parent protocol of that FIELD.

In the specific case of 'raw_sip.line' field, the 'parent' was set to the id of
the protocol 'sip' and not of 'raw_sip', so my code returns all the fields
associated with the protocol 'sip' including the field 'raw_sip.line'.

My assumption was wrong regarding that each field should have a protocol prefix
as the protocol parent that is associated with it, so I changed my code now to
loop through all the fields of all of the protocols! It still very quick
though.

Anyway, I think there should be standards and naming rules for the protocols
and the fields, and how fields are associated with their protocols.

By the way, have a look at Filter Expression dialog, there are many protocols
with no fields, and some of the protocols have the same problem as sip and
raw_sip.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube