Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] [Wireshark-commits] rev 20467: /trunk/ /trunk/epan/dfilter/:

From: "Luis Ontanon" <luis.ontanon@xxxxxxxxx>
Date: Thu, 18 Jan 2007 04:02:29 +0100
FYC

I added macros to the display filter engine.

At startup the df_macros in either userdir or (if not found) datadir
will be loaded (if there is one).
The GUI dialog is just a dummy allows you to see.

the format of the file is as follows, I believe they are self explanatory:

-- example df_macros file
Macro_N4me: ip.addr == 1.2.3.4
tcp_ses: ((ip.addr == $1 && ip.addr == $2) && (tcp.port == $3 &&
tcp.port == $4))
server: 10.0.0.3
net10: 10.0.0.0/8
quoted: "$1"
quoted_in_quotes: "\\"$1\\""
nested: (${Macro_N4me} && ($1))

broken1: ${complete:second;
broken2: ;last}
complete: first;$1 $2 $3
--

the results are like these:

filter str: ${tcp_ses:${server\};${net10\};80;12345}
resolved: ((ip.addr == 10.0.0.3 && ip.addr == 10.0.0.0/8) && (tcp.port
== 80 && tcp.port == 12345))

filter_str: text contains ${quoted:# #}
resolved: text contains "# #"

filter_str: ${nested:udp.port==161}
resolved: (ip.addr == 1.2.3.4 && (udp.port==161))

filter_str: ${broken1};third${broken2}
not too resolved: ${complete:second;third;last}


--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan