Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 2794] Questionable display filter fields

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Tue, 12 Apr 2011 19:31:32 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2794

Michael Mann <mmann78@xxxxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mmann78@xxxxxxxxxxxx

--- Comment #3 from Michael Mann <mmann78@xxxxxxxxxxxx> 2011-04-12 19:31:29 PDT ---
I wrote a perl script (be gentle, it's my first) that looks for #1 and #2 from
comment #0 and compiled a new spreadsheet based on the results (run on SVN). 
While 3-5 are difficult to quantify programatically, many were exposed with the
script.  The script works best if both the "name" and "abbrev" members of the
header_field_info struct are quoted strings and not #defines (A few false
positives were reported due to #defines in the hf_register_info array)

Current stats:
16212 "questionable" display filters from 314 files

The spreadsheet contains all of the files and protocols found by the script. It
contains how many display filters were questionable within the protocol and
also contains a sampling of the "questionable" display filters.  Popular
categories for the "questionable" display filters include:
1. typos
2. swapping '-' for '_' between PROTOABBREV and the display filter name
3. company or some other prefix included in the PROTOABBREV, but not the
display filter name (ex: cisco, dcerpc)
4. Multiple protocols in a single file
5. Single protocol spread across multiple files (or subdissectors of a single
protocol)

For some of #2 and #3 in the list above, the PROTOABBREV would match the
display filter if the filename was renamed and the filter not changed.  

I'd like opinions on what to do with the list and how to proceed.  #1 is self
explanatory, but #2 and #3 require file name changes, which really don't work
well as a contributed patch (but I can compile a list of just the ones that
fall in those categories).

I was also unclear of the offical rules for when to use periods in a filter. 
Once the PROTOABBREV is met and a period followed, there was a lot of
inconsistency as to when they were applied.  If this bug will drastically
change the display filters, might as well go all the way.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube