Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Implementation of Morphing Display filters on the fly ....

From: "Purandhar Krishnamurthy" <purandhar.krishnamurthy@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 31 May 2007 13:54:50 -0400 (EDT)
Hello,

  I would like to create a conditional display filter.  When a filter
criteria is hit on one protocol I would like to change the display
filter so that it includes an OR'd reference to another protocol.


How can I update the wireshark code to modify a display filter on the fly ?

Problem Summary
===============

We are analysing packes for UMTS.

First we are filtering based on IMSI/Subscriber identity.

For example
Filter String - "radius._IMSI == 999999999998001"

While we analyse/dissect packets, we update the filter string with ip.addr
(Framed IP address, which we are getting in the Layer1 of Protocol as an
Attribute Value Pair)

Updated filter string on the fly is :

     "radius._IMSI == 999999999998001 || ip.addr == 10.166.104.151"

Then we get list of packets, send and received by that subscriber.

Then we apply another filter to get information for a particular PDP context.

Filter String - "radius._IMSI == 999999999998001 || ip.addr ==
10.166.104.151"

But we are not getting filtered list of packets. We are again getting
other packets for which IP Address doesn't matches also.

Can anybody assist us,

Thanks in advance,
Purandhar/Bhowmick